Fixes CVE-2021-3623: out-of-bounds access when trying to resume the state of the vTPM

Resolves: rhbz#1976814

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

0001-tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch

@@ -0,0 +1,202 @@
+From f16250b35aff6995e540143a9858c9cf0d1f9573 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 21 Jun 2021 14:04:34 -0400
+Subject: [PATCH 1/3] tpm2: Reset TPM2B buffer sizes after test fails for valid
+ buffer size
+
+Reset the buffer size indicator in a TPM2B type of buffer after it failed
+the test for the maximum buffer size it allows. This prevents having bad
+buffer sizes in memory that can come to haunt us when writing the volatile
+state for example.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/NVMarshal.c |  1 +
+ src/tpm2/Unmarshal.c | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
+index efbab70..9f6d0f7 100644
+--- a/src/tpm2/NVMarshal.c
++++ b/src/tpm2/NVMarshal.c
+@@ -1503,6 +1503,7 @@ bn_prime_t_Unmarshal(bn_prime_t *data, BYTE **buffer, INT32 *size)
+                                 "allocated %zu\n",
+                                 (size_t)data->size, (size_t)data->allocated);
+             rc = TPM_RC_SIZE;
++            data->size = 0;
+         }
+     }
+ 
+diff --git a/src/tpm2/Unmarshal.c b/src/tpm2/Unmarshal.c
+index c692ccc..8e7a9b7 100644
+--- a/src/tpm2/Unmarshal.c
++++ b/src/tpm2/Unmarshal.c
+@@ -136,6 +136,7 @@ TPM2B_Unmarshal(TPM2B *target, UINT16 targetSize, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->size > targetSize) {
+ 	    rc = TPM_RC_SIZE;
++	    target->size = 0; // libtpms added
+ 	}
+     }
+     if (rc == TPM_RC_SUCCESS) {
+@@ -1686,6 +1687,7 @@ TPMS_PCR_SELECTION_Unmarshal(TPMS_PCR_SELECTION *target, BYTE **buffer, INT32 *s
+ 	if ((target->sizeofSelect < PCR_SELECT_MIN) ||
+ 	    (target->sizeofSelect > PCR_SELECT_MAX)) {
+ 	    rc = TPM_RC_VALUE;
++	    target->sizeofSelect = 0; // libtpms added
+ 	}
+     }
+     if (rc == TPM_RC_SUCCESS) {
+@@ -1859,6 +1861,7 @@ TPML_CC_Unmarshal(TPML_CC *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_CAP_CC) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -1897,6 +1900,7 @@ TPML_CCA_Unmarshal(TPML_CCA *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_CAP_CC) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -1920,6 +1924,7 @@ TPML_ALG_Unmarshal(TPML_ALG *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_ALG_LIST_SIZE) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -1942,6 +1947,7 @@ TPML_HANDLE_Unmarshal(TPML_HANDLE *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_CAP_HANDLES) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -1970,11 +1976,13 @@ TPML_DIGEST_Unmarshal(TPML_DIGEST *target, BYTE **buffer, INT32 *size)
+ 	/* TPM side is hard coded to 2 minimum */
+ 	if (target->count < 2) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > 8) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -1997,6 +2005,7 @@ TPML_DIGEST_VALUES_Unmarshal(TPML_DIGEST_VALUES *target, BYTE **buffer, INT32 *s
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > HASH_COUNT) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2019,6 +2028,7 @@ TPML_PCR_SELECTION_Unmarshal(TPML_PCR_SELECTION *target, BYTE **buffer, INT32 *s
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > HASH_COUNT) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2044,6 +2054,7 @@ TPML_ALG_PROPERTY_Unmarshal(TPML_ALG_PROPERTY *target, BYTE **buffer, INT32 *siz
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_CAP_ALGS) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2066,6 +2077,7 @@ TPML_TAGGED_TPM_PROPERTY_Unmarshal(TPML_TAGGED_TPM_PROPERTY  *target, BYTE **buf
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_TPM_PROPERTIES) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2088,6 +2100,7 @@ TPML_TAGGED_PCR_PROPERTY_Unmarshal(TPML_TAGGED_PCR_PROPERTY *target, BYTE **buff
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_PCR_PROPERTIES) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2110,6 +2123,7 @@ TPML_ECC_CURVE_Unmarshal(TPML_ECC_CURVE *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_ECC_CURVES) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2132,6 +2146,7 @@ TPML_TAGGED_POLICY_Unmarshal(TPML_TAGGED_POLICY *target, BYTE **buffer, INT32 *s
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->count > MAX_TAGGED_POLICIES) {
+ 	    rc = TPM_RC_SIZE;
++	    target->count = 0; // libtpms added
+ 	}
+     }
+     for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+@@ -2781,6 +2796,7 @@ TPM2B_SENSITIVE_CREATE_Unmarshal(TPM2B_SENSITIVE_CREATE *target, BYTE **buffer,
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->size != startSize - *size) {
+ 	    rc = TPM_RC_SIZE;
++	    target->size = 0; // libtpms added
+ 	}
+     }
+     return rc;
+@@ -3540,6 +3556,7 @@ TPM2B_ECC_POINT_Unmarshal(TPM2B_ECC_POINT *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->size != startSize - *size) {
+ 	    rc = TPM_RC_SIZE;
++	    target->size = 0; // libtpms added
+ 	}
+     }
+     return rc;
+@@ -4063,6 +4080,7 @@ TPM2B_PUBLIC_Unmarshal(TPM2B_PUBLIC *target, BYTE **buffer, INT32 *size, BOOL al
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->size != startSize - *size) {
+ 	    rc = TPM_RC_SIZE;
++	    target->size = 0; // libtpms added
+ 	}
+     }
+     return rc;
+@@ -4158,6 +4176,7 @@ TPM2B_SENSITIVE_Unmarshal(TPM2B_SENSITIVE *target, BYTE **buffer, INT32 *size)
+ 	if (rc == TPM_RC_SUCCESS) {
+ 	    if (target->size != startSize - *size) {
+ 		rc = TPM_RC_SIZE;
++		target->size = 0; // libtpms added
+ 	    }
+ 	}
+     }
+@@ -4233,6 +4252,7 @@ TPMS_NV_PUBLIC_Unmarshal(TPMS_NV_PUBLIC *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->dataSize > MAX_NV_INDEX_SIZE) {
+ 	    rc = TPM_RC_SIZE;
++	    target->dataSize = 0; // libtpms added
+ 	}
+     }
+     return rc;
+@@ -4263,6 +4283,7 @@ TPM2B_NV_PUBLIC_Unmarshal(TPM2B_NV_PUBLIC *target, BYTE **buffer, INT32 *size)
+     if (rc == TPM_RC_SUCCESS) {
+ 	if (target->size != startSize - *size) {
+ 	    rc = TPM_RC_SIZE;
++	    target->size = 0; // libtpms added
+ 	}
+     }
+     return rc;
+-- 
+2.29.0
+

0002-tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch

@@ -0,0 +1,267 @@
+From 3ef9b26cb9f28bd64d738bff9505a20d4eb56acd Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 21 Jun 2021 15:10:14 -0400
+Subject: [PATCH 2/3] tpm2: Add maxSize parameter to TPM2B_Marshal for sanity
+ checks
+
+Add maxSize parameter to TPM2B_Marshal and assert on it checking
+the size of the data intended to be marshaled versus the maximum
+buffer size.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/Marshal.c    | 38 ++++++++++++++++++++------------------
+ src/tpm2/Marshal_fp.h |  2 +-
+ src/tpm2/NVMarshal.c  | 18 +++++++++---------
+ 3 files changed, 30 insertions(+), 28 deletions(-)
+
+diff --git a/src/tpm2/Marshal.c b/src/tpm2/Marshal.c
+index 53c241e..c843224 100644
+--- a/src/tpm2/Marshal.c
++++ b/src/tpm2/Marshal.c
+@@ -59,6 +59,7 @@
+ /*										*/
+ /********************************************************************************/
+ 
++#include <assert.h> // libtpms added
+ #include <string.h>
+ 
+ #include "Tpm.h"
+@@ -176,9 +177,10 @@ Array_Marshal(BYTE *sourceBuffer, UINT16 sourceSize, BYTE **buffer, INT32 *size)
+ }
+ 
+ UINT16
+-TPM2B_Marshal(TPM2B *source, BYTE **buffer, INT32 *size)
++TPM2B_Marshal(TPM2B *source, UINT32 maxSize, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
++    assert(source->size <= maxSize); // libtpms added
+     written += UINT16_Marshal(&(source->size), buffer, size);
+     written += Array_Marshal(source->buffer, source->size, buffer, size); 
+     return written;
+@@ -503,7 +505,7 @@ UINT16
+ TPM2B_DIGEST_Marshal(TPM2B_DIGEST *source, BYTE **buffer, INT32 *size)
+ {
+ UINT16 written = 0;
+-written += TPM2B_Marshal(&source->b, buffer, size);
++written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+ return written;
+ }
+ 
+@@ -513,7 +515,7 @@ UINT16
+ TPM2B_DATA_Marshal(TPM2B_DATA *source, BYTE **buffer, INT32 *size)
+ {
+ UINT16 written = 0;
+-written += TPM2B_Marshal(&source->b, buffer, size);
++written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+ return written;
+ }
+ 
+@@ -543,7 +545,7 @@ UINT16
+ TPM2B_MAX_BUFFER_Marshal(TPM2B_MAX_BUFFER *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -553,7 +555,7 @@ UINT16
+ TPM2B_MAX_NV_BUFFER_Marshal(TPM2B_MAX_NV_BUFFER *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -562,7 +564,7 @@ UINT16
+ TPM2B_TIMEOUT_Marshal(TPM2B_TIMEOUT *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -572,7 +574,7 @@ UINT16
+ TPM2B_IV_Marshal(TPM2B_IV *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -582,7 +584,7 @@ UINT16
+ TPM2B_NAME_Marshal(TPM2B_NAME *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.name), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1163,7 +1165,7 @@ UINT16
+ TPM2B_ATTEST_Marshal(TPM2B_ATTEST *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.attestationData), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1294,7 +1296,7 @@ UINT16
+ TPM2B_SYM_KEY_Marshal(TPM2B_SYM_KEY *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1315,7 +1317,7 @@ UINT16
+ TPM2B_SENSITIVE_DATA_Marshal(TPM2B_SENSITIVE_DATA *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1673,7 +1675,7 @@ UINT16
+ TPM2B_PUBLIC_KEY_RSA_Marshal(TPM2B_PUBLIC_KEY_RSA *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1693,7 +1695,7 @@ UINT16
+ TPM2B_PRIVATE_KEY_RSA_Marshal(TPM2B_PRIVATE_KEY_RSA *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1703,7 +1705,7 @@ UINT16
+ TPM2B_ECC_PARAMETER_Marshal(TPM2B_ECC_PARAMETER *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -1937,7 +1939,7 @@ UINT16
+ TPM2B_ENCRYPTED_SECRET_Marshal(TPM2B_ENCRYPTED_SECRET *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.secret), buffer, size); // libtpms changed
+     return written;
+ }
+  
+@@ -2148,7 +2150,7 @@ UINT16
+ TPM2B_PRIVATE_Marshal(TPM2B_PRIVATE *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -2158,7 +2160,7 @@ UINT16
+ TPM2B_ID_OBJECT_Marshal(TPM2B_ID_OBJECT *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.credential), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+@@ -2215,7 +2217,7 @@ UINT16
+ TPM2B_CONTEXT_DATA_Marshal(TPM2B_CONTEXT_DATA  *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
+     return written;
+ }
+ 
+diff --git a/src/tpm2/Marshal_fp.h b/src/tpm2/Marshal_fp.h
+index 3ce6eb3..d52f497 100644
+--- a/src/tpm2/Marshal_fp.h
++++ b/src/tpm2/Marshal_fp.h
+@@ -79,7 +79,7 @@ extern "C" {
+     UINT16
+     Array_Marshal(BYTE *sourceBuffer, UINT16 sourceSize, BYTE **buffer, INT32 *size);
+     UINT16
+-    TPM2B_Marshal(TPM2B *source, BYTE **buffer, INT32 *size);
++    TPM2B_Marshal(TPM2B *source, UINT32 maxSize, BYTE **buffer, INT32 *size); // libtpms changed
+     UINT16
+     TPM_KEY_BITS_Marshal(TPM_KEY_BITS *source, BYTE **buffer, INT32 *size);
+     UINT16
+diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
+index 9f6d0f7..f8a3798 100644
+--- a/src/tpm2/NVMarshal.c
++++ b/src/tpm2/NVMarshal.c
+@@ -278,7 +278,7 @@ static UINT16
+ TPM2B_PROOF_Marshal(TPM2B_PROOF *source, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written = 0;
+-    written += TPM2B_Marshal(&source->b, buffer, size);
++    written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size);
+     return written;
+ }
+ 
+@@ -1390,7 +1390,7 @@ STATE_RESET_DATA_Marshal(STATE_RESET_DATA *data, BYTE **buffer, INT32 *size)
+                                 STATE_RESET_DATA_VERSION,
+                                 STATE_RESET_DATA_MAGIC, 3);
+     written += TPM2B_PROOF_Marshal(&data->nullProof, buffer, size);
+-    written += TPM2B_Marshal(&data->nullSeed.b, buffer, size);
++    written += TPM2B_Marshal(&data->nullSeed.b, sizeof(data->nullSeed.t.buffer), buffer, size);
+     written += UINT32_Marshal(&data->clearCount, buffer, size);
+     written += UINT64_Marshal(&data->objectContextID, buffer, size);
+ 
+@@ -2178,7 +2178,7 @@ TPM2B_HASH_BLOCK_Marshal(TPM2B_HASH_BLOCK *data, BYTE **buffer, INT32 *size)
+ {
+     UINT16 written;
+ 
+-    written = TPM2B_Marshal(&data->b, buffer, size);
++    written = TPM2B_Marshal(&data->b, sizeof(data->t.buffer), buffer, size);
+ 
+     return written;
+ }
+@@ -3062,9 +3062,9 @@ VolatileState_Marshal(BYTE **buffer, INT32 *size)
+ 
+     /* tie the volatile state to the EP,SP, and PPSeed */
+     NvRead(&pd, NV_PERSISTENT_DATA, sizeof(pd));
+-    written += TPM2B_Marshal(&pd.EPSeed.b, buffer, size);
+-    written += TPM2B_Marshal(&pd.SPSeed.b, buffer, size);
+-    written += TPM2B_Marshal(&pd.PPSeed.b, buffer, size);
++    written += TPM2B_Marshal(&pd.EPSeed.b, sizeof(pd.EPSeed.t.buffer), buffer, size);
++    written += TPM2B_Marshal(&pd.SPSeed.b, sizeof(pd.SPSeed.t.buffer), buffer, size);
++    written += TPM2B_Marshal(&pd.PPSeed.b, sizeof(pd.PPSeed.t.buffer), buffer, size);
+ 
+     written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size); /* v4 */
+ 
+@@ -3881,9 +3881,9 @@ PERSISTENT_DATA_Marshal(PERSISTENT_DATA *data, BYTE **buffer, INT32 *size)
+     written += TPM2B_AUTH_Marshal(&data->ownerAuth, buffer, size);
+     written += TPM2B_AUTH_Marshal(&data->endorsementAuth, buffer, size);
+     written += TPM2B_AUTH_Marshal(&data->lockoutAuth, buffer, size);
+-    written += TPM2B_Marshal(&data->EPSeed.b, buffer, size);
+-    written += TPM2B_Marshal(&data->SPSeed.b, buffer, size);
+-    written += TPM2B_Marshal(&data->PPSeed.b, buffer, size);
++    written += TPM2B_Marshal(&data->EPSeed.b, sizeof(data->EPSeed.t.buffer), buffer, size);
++    written += TPM2B_Marshal(&data->SPSeed.b, sizeof(data->SPSeed.t.buffer), buffer, size);
++    written += TPM2B_Marshal(&data->PPSeed.b, sizeof(data->PPSeed.t.buffer), buffer, size);
+     written += TPM2B_PROOF_Marshal(&data->phProof, buffer, size);
+     written += TPM2B_PROOF_Marshal(&data->shProof, buffer, size);
+     written += TPM2B_PROOF_Marshal(&data->ehProof, buffer, size);
+-- 
+2.29.0
+

libtpms.spec

@@ -3,13 +3,16 @@
 
 Name:           libtpms
 Version:        0.8.2
-Release:        0.%{gitdate}git%{gitversion}%{?dist}.4
+Release:        0.%{gitdate}git%{gitversion}%{?dist}.5
 
 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
 Url:            http://github.com/stefanberger/libtpms
 Source0:        libtpms-%{gitdate}.tar.xz
 Patch0001:      0001-build-sys-leave-CFLAGS-LDFLAGS-for-user-to-be-define.patch
+Patch0002:      0001-tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch
+Patch0003:      0002-tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch
+Patch0004:      0003-tpm2-Restore-original-value-if-unmarshalled-value-wa.patch
 
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@@ -56,6 +59,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*
 
 %changelog
+* Wed Jun 30 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.5
+- Fixes CVE-2021-3623: out-of-bounds access when trying to resume the state of the vTPM
+  Resolves: rhbz#1976814
+
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.4
 - Rebuilt for RHEL 9 BETA for openssl 3.0
   Related: rhbz#1971065