import swtpm-0.7.0-4.20211109gitb79fd91.module+el8.7.0+16689+53d59bc2

This commit is contained in:
CentOS Sources 2022-11-08 01:35:47 -05:00 committed by Stepan Oksanichenko
parent 98dd637771
commit ac7ae47c19
3 changed files with 77 additions and 18 deletions

View File

@ -0,0 +1,54 @@
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
index 437088370e11..144d8975ec54 100644
--- a/src/swtpm/swtpm_nvstore.c
+++ b/src/swtpm/swtpm_nvstore.c
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;
--
2.34.1.428.gdcc0cd074f0c

View File

@ -1,4 +1,4 @@
From 12c1bfab1f21fdc28039219a1a159a900ca97283 Mon Sep 17 00:00:00 2001
From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 8 Jun 2022 09:19:07 -0400
Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
@ -25,7 +25,7 @@ Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
create mode 100644 src/swtpm/fips.h
diff --git a/configure.ac b/configure.ac
index ad3054e5c7e3..30288c7a24ac 100644
index ad3054e..30288c7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -156,6 +156,15 @@ openssl)
@ -45,7 +45,7 @@ index ad3054e5c7e3..30288c7a24ac 100644
esac
diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
index 5454a6f7b747..2a659500a17f 100644
index 5454a6f..2a65950 100644
--- a/src/swtpm/Makefile.am
+++ b/src/swtpm/Makefile.am
@@ -11,6 +11,7 @@ noinst_HEADERS = \
@ -65,7 +65,7 @@ index 5454a6f7b747..2a659500a17f 100644
logging.c \
mainloop.c \
diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
index 9dbc00df2825..3026e26fffb3 100644
index 9dbc00d..3026e26 100644
--- a/src/swtpm/cuse_tpm.c
+++ b/src/swtpm/cuse_tpm.c
@@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
@ -82,7 +82,7 @@ index 9dbc00df2825..3026e26fffb3 100644
goto exit;
diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
new file mode 100644
index 000000000000..eeb2a0ca4187
index 0000000..eeb2a0c
--- /dev/null
+++ b/src/swtpm/fips.c
@@ -0,0 +1,100 @@
@ -188,7 +188,7 @@ index 000000000000..eeb2a0ca4187
+#endif
diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
new file mode 100644
index 000000000000..14d4e9fe926d
index 0000000..14d4e9f
--- /dev/null
+++ b/src/swtpm/fips.h
@@ -0,0 +1,43 @@
@ -236,7 +236,7 @@ index 000000000000..14d4e9fe926d
+
+#endif /* _SWTPM_UTILS_H_ */
diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
index 722a7432f251..e618c567b1d2 100644
index 722a743..e618c56 100644
--- a/src/swtpm/swtpm.c
+++ b/src/swtpm/swtpm.c
@@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
@ -250,7 +250,7 @@ index 722a7432f251..e618c567b1d2 100644
error_seccomp_profile:
diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
index 9710927ec626..ab6d8fd417c6 100644
index 9710927..ab6d8fd 100644
--- a/src/swtpm/swtpm_chardev.c
+++ b/src/swtpm/swtpm_chardev.c
@@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
@ -264,7 +264,7 @@ index 9710927ec626..ab6d8fd417c6 100644
error_seccomp_profile:
diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
index 75024425d4b0..b8acd895a2ac 100644
index 7502442..b8acd89 100644
--- a/src/swtpm/utils.h
+++ b/src/swtpm/utils.h
@@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
@ -275,5 +275,5 @@ index 75024425d4b0..b8acd895a2ac 100644
+
#endif /* _SWTPM_UTILS_H_ */
--
2.36.0.44.g0f828332d5ac
2.36.1

View File

@ -12,13 +12,14 @@
Summary: TPM Emulator
Name: swtpm
Version: 0.7.0
Release: 3.%{gitdate}git%{gitshortcommit}%{?dist}
Release: 4.%{gitdate}git%{gitshortcommit}%{?dist}
License: BSD
Url: http://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
Patch0001: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
Patch0002: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
ExcludeArch: i686
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
Patch0002: 0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
Patch0003: 0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
BuildRequires: make
BuildRequires: git-core
@ -181,13 +182,17 @@ fi
%{_datadir}/swtpm/swtpm-create-tpmca
%changelog
* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
- swtpm_localca: Test for available issuercert before creating CA
Resolves: rhbz#2109987
Resolves: rhbz#2100508
* Thu Jun 09 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
- Disable FIPS mode.
Resolves: rhbz#2109568
* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
- Disable OpenSSL FIPS mode to avoid libtpms failures
Resolves: rhbz#2097947
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
- Add fix for CVE-2022-23645.
Resolves: rhbz#2056517
* Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
- Rebase to 0.7.0, disable TPM 1.2.