Compare commits
No commits in common. "c8s-stream-rhel" and "c8-beta-stream-rhel" have entirely different histories.
c8s-stream
...
c8-beta-st
@ -0,0 +1,52 @@
|
|||||||
|
From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
Date: Mon, 20 Feb 2023 14:41:10 -0500
|
||||||
|
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
|
||||||
|
& -1018)
|
||||||
|
|
||||||
|
Check that there are sufficient bytes in the buffer before reading the
|
||||||
|
cipherSize from it. Also, reduce the bufferSize variable by the number
|
||||||
|
of bytes that make up the cipherSize to avoid reading and writing bytes
|
||||||
|
beyond the buffer in subsequent steps that do in-place decryption.
|
||||||
|
|
||||||
|
This fixes CVE-2023-1017 & CVE-2023-1018.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/tpm2/CryptUtil.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
|
||||||
|
index 002fde0..8fae5b6 100644
|
||||||
|
--- a/src/tpm2/CryptUtil.c
|
||||||
|
+++ b/src/tpm2/CryptUtil.c
|
||||||
|
@@ -830,6 +830,10 @@ CryptParameterDecryption(
|
||||||
|
+ sizeof(session->sessionKey.t.buffer)));
|
||||||
|
TPM2B_HMAC_KEY key; // decryption key
|
||||||
|
UINT32 cipherSize = 0; // size of cipher text
|
||||||
|
+
|
||||||
|
+ if (leadingSizeInByte > bufferSize)
|
||||||
|
+ return TPM_RC_INSUFFICIENT;
|
||||||
|
+
|
||||||
|
// Retrieve encrypted data size.
|
||||||
|
if(leadingSizeInByte == 2)
|
||||||
|
{
|
||||||
|
@@ -837,6 +841,7 @@ CryptParameterDecryption(
|
||||||
|
// data to be decrypted
|
||||||
|
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
|
||||||
|
buffer = &buffer[2]; // advance the buffer
|
||||||
|
+ bufferSize -= 2;
|
||||||
|
}
|
||||||
|
#ifdef TPM4B
|
||||||
|
else if(leadingSizeInByte == 4)
|
||||||
|
@@ -844,6 +849,7 @@ CryptParameterDecryption(
|
||||||
|
// the leading size is four bytes so get the four byte size field
|
||||||
|
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
|
||||||
|
buffer = &buffer[4]; //advance pointer
|
||||||
|
+ bufferSize -= 4;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
else
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: libtpms
|
Name: libtpms
|
||||||
Version: 0.9.1
|
Version: 0.9.1
|
||||||
Release: 1.%{gitdate}git%{gitversion}%{?dist}
|
Release: 2.%{gitdate}git%{gitversion}%{?dist}
|
||||||
|
|
||||||
Summary: Library providing Trusted Platform Module (TPM) functionality
|
Summary: Library providing Trusted Platform Module (TPM) functionality
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -11,6 +11,7 @@ Url: http://github.com/stefanberger/libtpms
|
|||||||
Source0: libtpms-%{gitdate}.tar.xz
|
Source0: libtpms-%{gitdate}.tar.xz
|
||||||
ExcludeArch: i686
|
ExcludeArch: i686
|
||||||
Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
|
Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
|
||||||
|
Patch0004: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
|
||||||
|
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: pkgconfig gawk sed
|
BuildRequires: pkgconfig gawk sed
|
||||||
@ -58,6 +59,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
|
|||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 21 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
|
||||||
|
- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
|
||||||
|
Resolves: rhbz#2173964
|
||||||
|
Resolves: rhbz#2173970
|
||||||
|
|
||||||
* Thu Jul 28 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-1.20211126git1ff6fe1f43
|
* Thu Jul 28 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-1.20211126git1ff6fe1f43
|
||||||
- Backport s_ContextSlotMask initialization fix
|
- Backport s_ContextSlotMask initialization fix
|
||||||
Resolves: rhbz#2111433
|
Resolves: rhbz#2111433
|
||||||
|
Loading…
Reference in New Issue
Block a user