Branch synchronization with RHEL 8.8.0

2023-04-04 09:25:29 -04:00 · 2023-04-04 09:25:29 -04:00 · 034d5762be
commit 034d5762be
parent b72901caa1
7 changed files with 63 additions and 79 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,5 @@
+/libtpms-20191018.tar.xz
+/libtpms-20200527.tar.xz
+/libtpms-20200818.tar.xz
+/libtpms-20201106.tar.xz
 SOURCES/libtpms-20211126.tar.xz
-/libtpms-20211126.tar.xz
--- a/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+++ b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
@ -0,0 +1,52 @@
+From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 20 Feb 2023 14:41:10 -0500
+Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
+ & -1018)
+
+Check that there are sufficient bytes in the buffer before reading the
+cipherSize from it. Also, reduce the bufferSize variable by the number
+of bytes that make up the cipherSize to avoid reading and writing bytes
+beyond the buffer in subsequent steps that do in-place decryption.
+
+This fixes CVE-2023-1017 & CVE-2023-1018.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/CryptUtil.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
+index 002fde0..8fae5b6 100644
+--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
+@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ 			  + sizeof(session->sessionKey.t.buffer)));
+     TPM2B_HMAC_KEY          key;            // decryption key
+     UINT32                  cipherSize = 0; // size of cipher text
+
+    if (leadingSizeInByte > bufferSize)
+	return TPM_RC_INSUFFICIENT;
+
+     // Retrieve encrypted data size.
+     if(leadingSizeInByte == 2)
+ 	{
+@@ -837,6 +841,7 @@ CryptParameterDecryption(
+ 	    // data to be decrypted
+ 	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
+ 	    buffer = &buffer[2];   // advance the buffer
+	    bufferSize -= 2;
+ 	}
+ #ifdef  TPM4B
+     else if(leadingSizeInByte == 4)
+@@ -844,6 +849,7 @@ CryptParameterDecryption(
+ 	    // the leading size is four bytes so get the four byte size field
+ 	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
+ 	    buffer = &buffer[4];   //advance pointer
+	    bufferSize -= 4;
+ 	}
+ #endif
+     else
+-- 
+2.39.2
+
--- a/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
+++ b/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
@ -1,37 +0,0 @@
-From e4261984374556da65c9d46097d5a1200b335c0c Mon Sep 17 00:00:00 2001
-From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
-Date: Sat, 19 Feb 2022 12:59:32 +0100
-Subject: [PATCH] tpm2: Do not call EVP_PKEY_CTX_set0_rsa_oaep_label() for
- label of size 0 (OSSL 3)
-
-Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called
-with label size 0. The function should only be called if the size of the label
-is greater 0.
-With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0
-for encryption without label.
-
-Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
- src/tpm2/crypto/openssl/CryptRsa.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c
-index 4ed04384feb0..b5d6b6c3be82 100644
--- a/src/tpm2/crypto/openssl/CryptRsa.c
-+++ b/src/tpm2/crypto/openssl/CryptRsa.c
-@@ -1356,10 +1356,9 @@ CryptRsaEncrypt(
-                 if (tmp == NULL)
-                     ERROR_RETURN(TPM_RC_FAILURE);
-                 memcpy(tmp, label->buffer, label->size);
-+                if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0)
-+                    ERROR_RETURN(TPM_RC_FAILURE);
-             }
-            // label->size == 0 is supported
-            if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0)
-                ERROR_RETURN(TPM_RC_FAILURE);
-             tmp = NULL;
-             break;
-           default:
-- 
-2.36.0.44.g0f828332d5ac
-
--- a/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
+++ b/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
@ -1,31 +0,0 @@
-From 3d2bbe2f1947784506ba0a7f9e8ab81eefb69929 Mon Sep 17 00:00:00 2001
-From: Ross Lagerwall <ross.lagerwall@citrix.com>
-Date: Mon, 23 May 2022 14:16:57 +0100
-Subject: [PATCH] tpm2: Fix size check in CryptSecretDecrypt
-
-Check the secret size against the size of the buffer, not the size
-member that has not been set yet.
-
-Reported by Coverity.
-
-Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
---
- src/tpm2/CryptUtil.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
-index 9879f918acb6..002fde0987a9 100644
--- a/src/tpm2/CryptUtil.c
-+++ b/src/tpm2/CryptUtil.c
-@@ -732,7 +732,7 @@ CryptSecretDecrypt(
- 					     nonceCaller->t.size);
- 			      }
- 			  // make sure secret will fit
-			  if(secret->t.size > data->t.size)
-+			  if(secret->t.size > sizeof(data->t.buffer))
- 			      return TPM_RC_FAILURE;
- 			  data->t.size = secret->t.size;
- 			  // CFB decrypt, using nonceCaller as iv
-- 
-2.36.0.44.g0f828332d5ac
-
--- a/gating.yaml
+++ b/gating.yaml
@ -1,8 +0,0 @@
-# recipients: kvmqe-ci, yfu, qcheng
--- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-subject_type: brew-build
-rules:
-  - !PassingTestCaseRule {test_case_name: kvm-ci.libtpms.x86_64.brew-build.gating.tier1.functional}
--- a/libtpms.spec
+++ b/libtpms.spec
@ -3,7 +3,7 @@

 Name:           libtpms
 Version:        0.9.1
-Release:        1.%{gitdate}git%{gitversion}%{?dist}
+Release:        2.%{gitdate}git%{gitversion}%{?dist}

 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
@ -11,6 +11,7 @@ Url:            http://github.com/stefanberger/libtpms
 Source0:        libtpms-%{gitdate}.tar.xz
 ExcludeArch:    i686
 Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
+Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch

 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@ -58,6 +59,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*

 %changelog
+* Tue Mar 21 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
+- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
+  Resolves: rhbz#2173964
+  Resolves: rhbz#2173970
+
 * Thu Jul 28 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-1.20211126git1ff6fe1f43
 - Backport s_ContextSlotMask initialization fix
  Resolves: rhbz#2111433
--- a/make-git-snapshot.sh
+++ b/make-git-snapshot.sh
@ -16,7 +16,6 @@ rm -rf $DIRNAME
 git clone ${REF:+--reference $REF} \
 	https://github.com/stefanberger/libtpms $DIRNAME

-set -x
 GIT_DIR=$DIRNAME/.git git archive --format=tar --prefix=$DIRNAME/ ${1:-HEAD} \
 	| xz > $DIRNAME.tar.xz