5b9f1fa30a
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
53 lines
1.7 KiB
Diff
53 lines
1.7 KiB
Diff
From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Berger <stefanb@linux.ibm.com>
|
|
Date: Mon, 20 Feb 2023 14:41:10 -0500
|
|
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
|
|
& -1018)
|
|
|
|
Check that there are sufficient bytes in the buffer before reading the
|
|
cipherSize from it. Also, reduce the bufferSize variable by the number
|
|
of bytes that make up the cipherSize to avoid reading and writing bytes
|
|
beyond the buffer in subsequent steps that do in-place decryption.
|
|
|
|
This fixes CVE-2023-1017 & CVE-2023-1018.
|
|
|
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
---
|
|
src/tpm2/CryptUtil.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
|
|
index 002fde0..8fae5b6 100644
|
|
--- a/src/tpm2/CryptUtil.c
|
|
+++ b/src/tpm2/CryptUtil.c
|
|
@@ -830,6 +830,10 @@ CryptParameterDecryption(
|
|
+ sizeof(session->sessionKey.t.buffer)));
|
|
TPM2B_HMAC_KEY key; // decryption key
|
|
UINT32 cipherSize = 0; // size of cipher text
|
|
+
|
|
+ if (leadingSizeInByte > bufferSize)
|
|
+ return TPM_RC_INSUFFICIENT;
|
|
+
|
|
// Retrieve encrypted data size.
|
|
if(leadingSizeInByte == 2)
|
|
{
|
|
@@ -837,6 +841,7 @@ CryptParameterDecryption(
|
|
// data to be decrypted
|
|
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
|
|
buffer = &buffer[2]; // advance the buffer
|
|
+ bufferSize -= 2;
|
|
}
|
|
#ifdef TPM4B
|
|
else if(leadingSizeInByte == 4)
|
|
@@ -844,6 +849,7 @@ CryptParameterDecryption(
|
|
// the leading size is four bytes so get the four byte size field
|
|
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
|
|
buffer = &buffer[4]; //advance pointer
|
|
+ bufferSize -= 4;
|
|
}
|
|
#endif
|
|
else
|
|
--
|
|
2.39.2
|
|
|