Fixes CVE-2021-3746 libtpms: out-of-bounds access via specially crafted TPM 2 command packets

Resolves: rhbz#1999303 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2021-08-31 18:55:35 +04:00 · 2021-08-31 18:55:35 +04:00 · ea6f273178
commit ea6f273178
parent fe4f8a1e4f
3 changed files with 97 additions and 1 deletions
--- a/0001-tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
+++ b/0001-tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
@ -0,0 +1,34 @@
 From 33a03986e0a09dde439985e0312d1c8fb3743aab Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.vnet.ibm.com>
 Date: Thu, 22 Jul 2021 21:23:58 -0400
 Subject: [PATCH 1/2] tpm2: Initialize a whole OBJECT before using it
 Initialize a whole OBJECT before using it. This is necessary since
 an OBJECT may also be used as a HASH_OBJECT via the ANY_OBJECT
 union and that HASH_OBJECT can leave bad size inidicators in TPM2B
 buffer in the OBJECT. To get rid of this problem we reset the whole
 OBJECT to 0 before using it. This is as if the memory for the
 OBJECT was just initialized.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/tpm2/Object.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c
 index 8e8b3ee..8406d8f 100644
 --- a/src/tpm2/Object.c
 +++ b/src/tpm2/Object.c
@@ -276,7 +276,8 @@ FindEmptyObjectSlot(
 		    if(handle)
 			*handle = i + TRANSIENT_FIRST;
 		    // Initialize the object attributes
 -		    MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
 +		    // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
 +		    MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object
 		    return object;
 		}
 	}
 -- 
 2.33.0.rc2
--- a/0002-tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
+++ b/0002-tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
@ -0,0 +1,56 @@
 From aaef222e8682cc2e0f9ea7124220c5fe44fab62b Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.vnet.ibm.com>
 Date: Fri, 23 Jul 2021 13:29:00 -0400
 Subject: [PATCH 2/2] tpm2: NVMarshal: Handle index orderly RAM without 0-sized
 terminating node
 The NVRAM entries in s_indexOrderlyRam array do not need to contain a
 0-sized terminating node. Instead, the entries may fill up this 512
 byte array so that no NV_RAM_HEADER structure fits anymore. The fact
 that no more NV_RAM_HEADER structure fits is also an indicator for the
 last entry. We need to account for this in the code marshalling and
 unmarshalling the entries so that we stop marshalling the entries
 then and similarly stop unmarshalling.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/tpm2/NVMarshal.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
 index f8a3798..935a76c 100644
 --- a/src/tpm2/NVMarshal.c
 +++ b/src/tpm2/NVMarshal.c
@@ -4244,6 +4244,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size,
                                      datasize, buffer, size);
         }
         offset += nrh.size;
 +        if (offset + sizeof(NV_RAM_HEADER) > array_size) {
 +            /* nothing will fit anymore and there won't be a 0-sized
 +             * terminating node (@1).
 +             */
 +            break;
 +        }
     }
     written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size);
@@ -4286,6 +4292,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size,
          */
         nrhp = array + offset;
 +        if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) {
 +            /* this case can occur with the previous entry filling up the
 +             * space; in this case there will not be a 0-sized terminating
 +             * node (see @1 above). We clear the rest of our space.
 +             */
 +            if (array_size > offset)
 +                memset(nrhp, 0, array_size - offset);
 +            break;
 +        }
 +
         /* write the NVRAM header;
            nrh->size holds the complete size including data;
            nrh->size = 0 indicates the end */
 -- 
 2.33.0.rc2
--- a/libtpms.spec
+++ b/libtpms.spec
@ -3,7 +3,7 @@
 Name:           libtpms
 Version:        0.8.2
-Release:        0.%{gitdate}git%{gitversion}%{?dist}.6
+Release:        0.%{gitdate}git%{gitversion}%{?dist}.7
 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
@ -13,6 +13,8 @@ Patch0001:      0001-build-sys-leave-CFLAGS-LDFLAGS-for-user-to-be-define.patch
 Patch0002:      0001-tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch
 Patch0003:      0002-tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch
 Patch0004:      0003-tpm2-Restore-original-value-if-unmarshalled-value-wa.patch
 Patch0005:      0001-tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
 Patch0006:      0002-tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@ -59,6 +61,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*
 %changelog
 * Tue Aug 31 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.7
 - Fixes CVE-2021-3746 libtpms: out-of-bounds access via specially crafted TPM 2 command packets
  Resolves: rhbz#1999303
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.8.2-0.20210301git729fc6a4ca.6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688