53 lines
2.0 KiB
Diff
53 lines
2.0 KiB
Diff
From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
Date: Wed, 11 Jun 2025 23:05:08 +0400
|
|
Subject: [PATCH] tpm2: CVE-2025-49133 fix
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential
|
|
out-of-bound access & abort due to HMAC signing issue")
|
|
|
|
Fix an HMAC signing issue that may causes an out-of-bounds access in a
|
|
TPM2B that in turn was running into an assert() in libtpms causing an
|
|
abort. The signing issue was due to an inconsistent pairing of the signKey
|
|
and signScheme parameters, where the signKey is ALG_KEYEDHASH key and
|
|
inScheme is an ECC or RSA scheme.
|
|
|
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
---
|
|
src/tpm2/CryptUtil.c | 16 ++++++++++------
|
|
1 file changed, 10 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
|
|
index 9879f91..4154d50 100644
|
|
--- a/src/tpm2/CryptUtil.c
|
|
+++ b/src/tpm2/CryptUtil.c
|
|
@@ -79,12 +79,16 @@ CryptHmacSign(
|
|
{
|
|
HMAC_STATE hmacState;
|
|
UINT32 digestSize;
|
|
- digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
|
|
- &signKey->sensitive.sensitive.bits.b);
|
|
- CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
|
|
- CryptHmacEnd(&hmacState, digestSize,
|
|
- (BYTE *)&signature->signature.hmac.digest);
|
|
- return TPM_RC_SUCCESS;
|
|
+ if (signature->sigAlg == TPM_ALG_HMAC)
|
|
+ {
|
|
+ digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
|
|
+ &signKey->sensitive.sensitive.bits.b);
|
|
+ CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
|
|
+ CryptHmacEnd(&hmacState, digestSize,
|
|
+ (BYTE *)&signature->signature.hmac.digest);
|
|
+ return TPM_RC_SUCCESS;
|
|
+ }
|
|
+ return TPM_RC_SCHEME;
|
|
}
|
|
/* 10.2.6.3.2 CryptHMACVerifySignature() */
|
|
/* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare
|
|
--
|
|
2.49.0
|
|
|