From 5b9f1fa30aa0cdaf341c1a7970f4d801bcc78bcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 1 Mar 2023 11:59:19 +0400 Subject: [PATCH] Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marc-André Lureau --- ...of-buffer-before-accessing-it-CVE-20.patch | 52 +++++++++++++++++++ libtpms.spec | 8 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch diff --git a/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch new file mode 100644 index 0000000..488f433 --- /dev/null +++ b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch @@ -0,0 +1,52 @@ +From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 20 Feb 2023 14:41:10 -0500 +Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017 + & -1018) + +Check that there are sufficient bytes in the buffer before reading the +cipherSize from it. Also, reduce the bufferSize variable by the number +of bytes that make up the cipherSize to avoid reading and writing bytes +beyond the buffer in subsequent steps that do in-place decryption. + +This fixes CVE-2023-1017 & CVE-2023-1018. + +Signed-off-by: Stefan Berger +--- + src/tpm2/CryptUtil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 002fde0..8fae5b6 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -830,6 +830,10 @@ CryptParameterDecryption( + + sizeof(session->sessionKey.t.buffer))); + TPM2B_HMAC_KEY key; // decryption key + UINT32 cipherSize = 0; // size of cipher text ++ ++ if (leadingSizeInByte > bufferSize) ++ return TPM_RC_INSUFFICIENT; ++ + // Retrieve encrypted data size. + if(leadingSizeInByte == 2) + { +@@ -837,6 +841,7 @@ CryptParameterDecryption( + // data to be decrypted + cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); + buffer = &buffer[2]; // advance the buffer ++ bufferSize -= 2; + } + #ifdef TPM4B + else if(leadingSizeInByte == 4) +@@ -844,6 +849,7 @@ CryptParameterDecryption( + // the leading size is four bytes so get the four byte size field + cipherSize = BYTE_ARRAY_TO_UINT32(buffer); + buffer = &buffer[4]; //advance pointer ++ bufferSize -= 4; + } + #endif + else +-- +2.39.2 + diff --git a/libtpms.spec b/libtpms.spec index bf4da0e..fee500b 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -3,7 +3,7 @@ Name: libtpms Version: 0.9.1 -Release: 2.%{gitdate}git%{gitversion}%{?dist} +Release: 3.%{gitdate}git%{gitversion}%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD @@ -12,6 +12,7 @@ Source0: libtpms-%{gitdate}.tar.xz Patch0001: 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch Patch0002: 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch +Patch0004: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch BuildRequires: openssl-devel BuildRequires: pkgconfig gawk sed @@ -58,6 +59,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : %{_mandir}/man3/* %changelog +* Wed Mar 01 2023 Marc-André Lureau - 0.9.1-3.20211126git1ff6fe1f43 +- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018) + Resolves: rhbz#2173960 + Resolves: rhbz#2173967 + * Mon Jun 20 2022 Marc-André Lureau - 0.9.1-2.20211126git1ff6fe1f43 - Backport s_ContextSlotMask initialization fix Resolves: rhbz#2035731