Add fix for CVE-2022-23645
Fixes: rhbz#2056518 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This commit is contained in:
Marc-André Lureau
parent
76b39970f7
commit
0c4d4c04a4
@ -0,0 +1,54 @@
|
|||||||
|
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
Date: Wed, 16 Feb 2022 11:17:47 -0500
|
||||||
|
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
|
||||||
|
375869)
|
||||||
|
|
||||||
|
This fix addresses Coverity issue CID 375869.
|
||||||
|
|
||||||
|
Check the header size indicated in the header of the state against the
|
||||||
|
expected size and return an error code in case the header size indicator
|
||||||
|
is different. There was only one header size so far since blobheader was
|
||||||
|
introduced, so we don't need to deal with different sizes.
|
||||||
|
|
||||||
|
Without this fix a specially craft header could have cause out-of-bounds
|
||||||
|
accesses on the byte array containing the swtpm's state.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
---
|
||||||
|
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
|
||||||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
|
||||||
|
index 437088370e11..144d8975ec54 100644
|
||||||
|
--- a/src/swtpm/swtpm_nvstore.c
|
||||||
|
+++ b/src/swtpm/swtpm_nvstore.c
|
||||||
|
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
|
||||||
|
uint8_t *hdrversion, bool quiet)
|
||||||
|
{
|
||||||
|
blobheader *bh = (blobheader *)data;
|
||||||
|
+ uint16_t hdrsize;
|
||||||
|
|
||||||
|
if (length < sizeof(bh)) {
|
||||||
|
if (!quiet)
|
||||||
|
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
|
||||||
|
return TPM_BAD_VERSION;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ hdrsize = ntohs(bh->hdrsize);
|
||||||
|
+ if (hdrsize != sizeof(blobheader)) {
|
||||||
|
+ logprintf(STDERR_FILENO,
|
||||||
|
+ "bad header size: %u != %zu\n",
|
||||||
|
+ hdrsize, sizeof(blobheader));
|
||||||
|
+ return TPM_BAD_DATASIZE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
*hdrversion = bh->version;
|
||||||
|
- *dataoffset = ntohs(bh->hdrsize);
|
||||||
|
+ *dataoffset = hdrsize;
|
||||||
|
*hdrflags = ntohs(bh->flags);
|
||||||
|
|
||||||
|
return TPM_SUCCESS;
|
||||||
|
--
|
||||||
|
2.34.1.428.gdcc0cd074f0c
|
||||||
|
|
||||||
@ -12,10 +12,11 @@
|
|||||||
Summary: TPM Emulator
|
Summary: TPM Emulator
|
||||||
Name: swtpm
|
Name: swtpm
|
||||||
Version: 0.7.0
|
Version: 0.7.0
|
||||||
Release: 1.%{gitdate}git%{gitshortcommit}%{?dist}
|
Release: 2.%{gitdate}git%{gitshortcommit}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Url: http://github.com/stefanberger/swtpm
|
Url: http://github.com/stefanberger/swtpm
|
||||||
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
|
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
|
||||||
|
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
@ -178,6 +179,10 @@ fi
|
|||||||
%{_datadir}/swtpm/swtpm-create-tpmca
|
%{_datadir}/swtpm/swtpm-create-tpmca
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
|
||||||
|
- Add fix for CVE-2022-23645.
|
||||||
|
Resolves: rhbz#2056518
|
||||||
|
|
||||||
* Fri Nov 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
|
* Fri Nov 12 2021 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
|
||||||
- Update to v0.7.0 release
|
- Update to v0.7.0 release
|
||||||
Resolves: rhbz#2021580 & rhbz#1990153
|
Resolves: rhbz#2021580 & rhbz#1990153
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user