Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This commit is contained in:
		
							parent
							
								
									aa41b1998e
								
							
						
					
					
						commit
						5b9f1fa30a
					
				| @ -0,0 +1,52 @@ | |||||||
|  | From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Stefan Berger <stefanb@linux.ibm.com> | ||||||
|  | Date: Mon, 20 Feb 2023 14:41:10 -0500 | ||||||
|  | Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017 | ||||||
|  |  & -1018) | ||||||
|  | 
 | ||||||
|  | Check that there are sufficient bytes in the buffer before reading the | ||||||
|  | cipherSize from it. Also, reduce the bufferSize variable by the number | ||||||
|  | of bytes that make up the cipherSize to avoid reading and writing bytes | ||||||
|  | beyond the buffer in subsequent steps that do in-place decryption. | ||||||
|  | 
 | ||||||
|  | This fixes CVE-2023-1017 & CVE-2023-1018. | ||||||
|  | 
 | ||||||
|  | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> | ||||||
|  | ---
 | ||||||
|  |  src/tpm2/CryptUtil.c | 6 ++++++ | ||||||
|  |  1 file changed, 6 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
 | ||||||
|  | index 002fde0..8fae5b6 100644
 | ||||||
|  | --- a/src/tpm2/CryptUtil.c
 | ||||||
|  | +++ b/src/tpm2/CryptUtil.c
 | ||||||
|  | @@ -830,6 +830,10 @@ CryptParameterDecryption(
 | ||||||
|  |  			  + sizeof(session->sessionKey.t.buffer))); | ||||||
|  |      TPM2B_HMAC_KEY          key;            // decryption key | ||||||
|  |      UINT32                  cipherSize = 0; // size of cipher text | ||||||
|  | +
 | ||||||
|  | +    if (leadingSizeInByte > bufferSize)
 | ||||||
|  | +	return TPM_RC_INSUFFICIENT;
 | ||||||
|  | +
 | ||||||
|  |      // Retrieve encrypted data size. | ||||||
|  |      if(leadingSizeInByte == 2) | ||||||
|  |  	{ | ||||||
|  | @@ -837,6 +841,7 @@ CryptParameterDecryption(
 | ||||||
|  |  	    // data to be decrypted | ||||||
|  |  	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); | ||||||
|  |  	    buffer = &buffer[2];   // advance the buffer | ||||||
|  | +	    bufferSize -= 2;
 | ||||||
|  |  	} | ||||||
|  |  #ifdef  TPM4B | ||||||
|  |      else if(leadingSizeInByte == 4) | ||||||
|  | @@ -844,6 +849,7 @@ CryptParameterDecryption(
 | ||||||
|  |  	    // the leading size is four bytes so get the four byte size field | ||||||
|  |  	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer); | ||||||
|  |  	    buffer = &buffer[4];   //advance pointer | ||||||
|  | +	    bufferSize -= 4;
 | ||||||
|  |  	} | ||||||
|  |  #endif | ||||||
|  |      else | ||||||
|  | -- 
 | ||||||
|  | 2.39.2 | ||||||
|  | 
 | ||||||
| @ -3,7 +3,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           libtpms | Name:           libtpms | ||||||
| Version:        0.9.1 | Version:        0.9.1 | ||||||
| Release:        2.%{gitdate}git%{gitversion}%{?dist} | Release:        3.%{gitdate}git%{gitversion}%{?dist} | ||||||
| 
 | 
 | ||||||
| Summary: Library providing Trusted Platform Module (TPM) functionality | Summary: Library providing Trusted Platform Module (TPM) functionality | ||||||
| License:        BSD | License:        BSD | ||||||
| @ -12,6 +12,7 @@ Source0:        libtpms-%{gitdate}.tar.xz | |||||||
| Patch0001:      0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch | Patch0001:      0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch | ||||||
| Patch0002:      0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch | Patch0002:      0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch | ||||||
| Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch | Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch | ||||||
|  | Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires:  openssl-devel | BuildRequires:  openssl-devel | ||||||
| BuildRequires:  pkgconfig gawk sed | BuildRequires:  pkgconfig gawk sed | ||||||
| @ -58,6 +59,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : | |||||||
| %{_mandir}/man3/* | %{_mandir}/man3/* | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Mar 01 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43 | ||||||
|  | - Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018) | ||||||
|  |   Resolves: rhbz#2173960 | ||||||
|  |   Resolves: rhbz#2173967 | ||||||
|  | 
 | ||||||
| * Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43 | * Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43 | ||||||
| - Backport s_ContextSlotMask initialization fix | - Backport s_ContextSlotMask initialization fix | ||||||
|   Resolves: rhbz#2035731 |   Resolves: rhbz#2035731 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user