From 2d2ea896d8085d634d19357195fbc5004854b0f4 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 30 Sep 2024 16:43:40 +0000 Subject: [PATCH] import CS tpm2-tools-5.2-4.el9 --- ...ig-fix-usage-of-disable-continuesess.patch | 131 ++++++++++++++++++ ...l.c-Fix-missing-include-for-basename.patch | 28 ++++ ...vread-fix-input-handling-no-nv-index.patch | 63 +++++++++ ...uote-Add-comparison-of-pcr-selection.patch | 86 ++++++++++++ ...checkquote-Fix-check-of-magic-number.patch | 38 +++++ ...2_setprimarypolicy-Fix-resource-leak.patch | 28 ++++ SPECS/tpm2-tools.spec | 17 ++- 7 files changed, 390 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch create mode 100644 SOURCES/0002-tpm2_tool.c-Fix-missing-include-for-basename.patch create mode 100644 SOURCES/0003-tpm2_nvread-fix-input-handling-no-nv-index.patch create mode 100644 SOURCES/0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch create mode 100644 SOURCES/0005-tpm2_checkquote-Fix-check-of-magic-number.patch create mode 100644 SOURCES/0006-tpm2_setprimarypolicy-Fix-resource-leak.patch diff --git a/SOURCES/0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch b/SOURCES/0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch new file mode 100644 index 0000000..fc9903f --- /dev/null +++ b/SOURCES/0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch @@ -0,0 +1,131 @@ +From c2dff7cfac16a857fcd5161d6e171483221ab003 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sun, 17 Dec 2023 09:53:01 +0100 +Subject: [PATCH 1/6] tpm2_sessionconfig fix usage of --disable-continuesession + +Conflicts: context change due to missing 6169d8c22 + +If continue session was disabled a error did occur in the function for +restoring the session context. +Now after usage of an session with continue session disabled the +context will not be saved and the session context file will be +deleted. +In one integration test continue session is now disabled and the +flush for this session is removed. + +Fixes: #3295 + +Signed-off-by: Juergen Repp +--- + lib/tpm2_session.c | 45 +++++++++++++++++++++++--------- + test/integration/tests/unseal.sh | 7 +++-- + 2 files changed, 37 insertions(+), 15 deletions(-) + +diff --git a/lib/tpm2_session.c b/lib/tpm2_session.c +index 60b8643b..3e5503db 100644 +--- a/lib/tpm2_session.c ++++ b/lib/tpm2_session.c +@@ -35,6 +35,7 @@ struct tpm2_session { + char *path; + ESYS_CONTEXT *ectx; + bool is_final; ++ bool delete; + } internal; + }; + +@@ -290,18 +291,23 @@ tool_rc tpm2_session_restore(ESYS_CONTEXT *ctx, const char *path, bool is_final, + dup_path = NULL; + + TPMA_SESSION attrs = 0; ++ s->internal.delete = false; ++ s->internal.is_final = is_final; ++ *session = s; + + if (ctx) { +- + /* hack this in here, should be done when starting the session */ + tmp_rc = tpm2_sess_get_attributes(ctx, handle, &attrs); +- UNUSED(tmp_rc); ++ if (tmp_rc != tool_rc_success) { ++ rc = tmp_rc; ++ LOG_ERR("Can't get session attributes."); ++ goto out; ++ } ++ if ((attrs & TPMA_SESSION_CONTINUESESSION) == 0) { ++ s->internal.delete = true; ++ } + } + +- s->internal.is_final = is_final; +- +- *session = s; +- + LOG_INFO("Restored session: ESYS_TR(0x%x) attrs(0x%x)", handle, attrs); + + rc = tool_rc_success; +@@ -341,22 +347,35 @@ tool_rc tpm2_session_close(tpm2_session **s) { + } + + const char *path = session->internal.path; +- FILE *session_file = path ? fopen(path, "w+b") : NULL; +- if (path && !session_file) { +- LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path, +- strerror(errno)); +- rc = tool_rc_general_error; +- goto out; +- } + + bool flush = path ? session->internal.is_final : true; + if (flush) { + rc = tpm2_flush_context(session->internal.ectx, + session->output.session_handle); + /* done, use rc to indicate status */ ++ goto out2; ++ } ++ ++ if ((*s)->internal.delete && path) { ++ if (remove(path)) { ++ LOG_ERR("File \"%s\" can't be deleted.", path); ++ rc = tool_rc_general_error; ++ goto out2; ++ } else { ++ rc = tool_rc_success; ++ goto out2; ++ } ++ } ++ ++ FILE *session_file = path ? fopen(path, "w+b") : NULL; ++ if (path && !session_file) { ++ LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path, ++ strerror(errno)); ++ rc = tool_rc_general_error; + goto out; + } + ++ + /* + * Now write the session_type, handle and auth hash data to disk + */ +diff --git a/test/integration/tests/unseal.sh b/test/integration/tests/unseal.sh +index dd6c2bc6..d0f7104f 100644 +--- a/test/integration/tests/unseal.sh ++++ b/test/integration/tests/unseal.sh +@@ -152,10 +152,13 @@ tpm2 sessionconfig enc_session.ctx --disable-encrypt + tpm2 create -Q -C prim.ctx -u seal_key.pub -r seal_key.priv -c seal_key.ctx \ + -p sealkeypass -i- <<< $secret -S enc_session.ctx + +-tpm2 sessionconfig enc_session.ctx --enable-encrypt ++tpm2 sessionconfig enc_session.ctx --enable-encrypt --disable-continuesession + unsealed=`tpm2 unseal -c seal_key.ctx -p sealkeypass -S enc_session.ctx` + test "$unsealed" == "$secret" + +-tpm2 flushcontext enc_session.ctx ++if [ -e enc_session.ctx ]; then ++ echo "enc_session.ctx was not deleted."; ++ exit 1 ++fi + + exit 0 +-- +2.45.2 + diff --git a/SOURCES/0002-tpm2_tool.c-Fix-missing-include-for-basename.patch b/SOURCES/0002-tpm2_tool.c-Fix-missing-include-for-basename.patch new file mode 100644 index 0000000..9605919 --- /dev/null +++ b/SOURCES/0002-tpm2_tool.c-Fix-missing-include-for-basename.patch @@ -0,0 +1,28 @@ +From 2e4d5da9a5e8808b1b075e0bde11c13fdd4c60b3 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 19 Dec 2023 17:24:26 +0100 +Subject: [PATCH 2/6] tpm2_tool.c Fix missing include for basename. + +tpm2_tool.c did not compile without the include libgen.h on netbsd. +Fixes: #3321 + +Signed-off-by: Juergen Repp +--- + tools/tpm2_tool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/tpm2_tool.c b/tools/tpm2_tool.c +index edd04c83..f59e316a 100644 +--- a/tools/tpm2_tool.c ++++ b/tools/tpm2_tool.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.45.2 + diff --git a/SOURCES/0003-tpm2_nvread-fix-input-handling-no-nv-index.patch b/SOURCES/0003-tpm2_nvread-fix-input-handling-no-nv-index.patch new file mode 100644 index 0000000..b352955 --- /dev/null +++ b/SOURCES/0003-tpm2_nvread-fix-input-handling-no-nv-index.patch @@ -0,0 +1,63 @@ +From 5b5dd6263f1f2d41f08abd60134396a12756c5e7 Mon Sep 17 00:00:00 2001 +From: Bill Roberts +Date: Sun, 10 Dec 2023 10:26:33 -0600 +Subject: [PATCH 3/6] tpm2_nvread: fix input handling no nv index + +Fixes: +./tools/tpm2 nvread +WARN: Reading full size of the NV index +ERROR: object string is empty +ERROR: Invalid handle authorization. +ERROR: Unable to run nvread + +with: +./tools/tpm2 nvread +ERROR: Must specify NV index argument +Usage: nvread [] +Where are: + [ -C | --hierarchy=] [ -o | --output=] [ -s | --size=] [ --offset=] + [ --cphash=] [ --rphash=] [ -n | --name=] [ -P | --auth=] + [ -S | --session=] [ --print-yaml] + +Signed-off-by: Bill Roberts +--- + tools/tpm2_nvread.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_nvread.c b/tools/tpm2_nvread.c +index f64d00c1..8f9c61cc 100644 +--- a/tools/tpm2_nvread.c ++++ b/tools/tpm2_nvread.c +@@ -24,6 +24,7 @@ struct tpm_nvread_ctx { + TPM2B_NAME precalc_nvname; + UINT32 size_to_read; + UINT32 offset; ++ bool nv_specified; + + /* + * Outputs +@@ -192,6 +193,11 @@ static tool_rc check_options(tpm2_option_flags flags) { + return tool_rc_option_error; + } + ++ if(!ctx.nv_specified) { ++ LOG_ERR("Must specify NV index argument"); ++ return tool_rc_option_error; ++ } ++ + /* + * Peculiar to this and some other tools, the object (nvindex) name must + * be specified when only calculating the cpHash. +@@ -266,7 +272,8 @@ static bool on_arg(int argc, char **argv) { + if (!ctx.auth_hierarchy.ctx_path) { + ctx.auth_hierarchy.ctx_path = argv[0]; + } +- return on_arg_nv_index(argc, argv, &ctx.nv_index); ++ ++ return ctx.nv_specified = on_arg_nv_index(argc, argv, &ctx.nv_index); + } + + static bool on_option(char key, char *value) { +-- +2.45.2 + diff --git a/SOURCES/0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch b/SOURCES/0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch new file mode 100644 index 0000000..331fefc --- /dev/null +++ b/SOURCES/0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch @@ -0,0 +1,86 @@ +From 7076608db4b8a2cdcab6ff4bc47c23c935618e3b Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 5 Mar 2024 22:11:38 +0100 +Subject: [PATCH 4/6] tpm2_checkquote: Add comparison of pcr selection. + +The pcr selection which is passed with the --pcr parameter it not +compared with the attest. So it's possible to fake a valid +attestation. + +Fixes: CVE-2024-29039 + +Signed-off-by: Juergen Repp +Signed-off-by: Andreas Fuchs +--- + tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c +index 6ce086f8..8a2a154e 100644 +--- a/tools/misc/tpm2_checkquote.c ++++ b/tools/misc/tpm2_checkquote.c +@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = { + .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer), + }; + ++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) { ++ if (attest_sel->count != pcr_sel->count) { ++ LOG_ERR("Selection sizes do not match."); ++ return false; ++ } ++ for (uint32_t i = 0; i < attest_sel->count; i++) { ++ for (uint32_t j = 0; j < pcr_sel->count; j++) { ++ if (attest_sel->pcrSelections[i].hash == ++ pcr_sel->pcrSelections[j].hash) { ++ if (attest_sel->pcrSelections[i].sizeofSelect != ++ pcr_sel->pcrSelections[j].sizeofSelect) { ++ LOG_ERR("Bitmask size does not match"); ++ return false; ++ } ++ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0], ++ &pcr_sel->pcrSelections[j].pcrSelect[0], ++ attest_sel->pcrSelections[i].sizeofSelect) != 0) { ++ LOG_ERR("Selection bitmasks do not match"); ++ return false; ++ } ++ break; ++ } ++ if (j == pcr_sel->count - 1) { ++ LOG_ERR("Hash selections to not match."); ++ return false; ++ } ++ } ++ } ++ return true; ++} ++ + static bool verify(void) { + + bool result = false; +@@ -374,7 +405,7 @@ static tool_rc init(void) { + } + + TPM2B_ATTEST *msg = NULL; +- TPML_PCR_SELECTION pcr_select; ++ TPML_PCR_SELECTION pcr_select = { 0 }; + tpm2_pcrs *pcrs; + tpm2_pcrs temp_pcrs = {}; + tool_rc return_value = tool_rc_general_error; +@@ -537,6 +568,14 @@ static tool_rc init(void) { + goto err; + } + ++ if (ctx.flags.pcr) { ++ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect, ++ &pcr_select)) { ++ LOG_ERR("PCR selection does not match PCR slection from attest!"); ++ goto err; ++ } ++ } ++ + // Figure out the digest for this message + res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData, + msg->size, &ctx.msg_hash); +-- +2.45.2 + diff --git a/SOURCES/0005-tpm2_checkquote-Fix-check-of-magic-number.patch b/SOURCES/0005-tpm2_checkquote-Fix-check-of-magic-number.patch new file mode 100644 index 0000000..f7c8c74 --- /dev/null +++ b/SOURCES/0005-tpm2_checkquote-Fix-check-of-magic-number.patch @@ -0,0 +1,38 @@ +From 0f122ba3f7bdee12f8ee725db41d90e737fb3e49 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 31 Oct 2023 11:29:50 +0100 +Subject: [PATCH 5/6] tpm2_checkquote: Fix check of magic number. + +It was not checked whether the magic number in the +attest is equal to TPM2_GENERATED_VALUE. +So an malicious attacker could generate arbitrary quote data +which was not detected by tpm2 checkquote. + +Fixes: CVE-2024-29038 + +Signed-off-by: Juergen Repp +--- + tools/misc/tpm2_checkquote.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c +index 8a2a154e..5083d855 100644 +--- a/tools/misc/tpm2_checkquote.c ++++ b/tools/misc/tpm2_checkquote.c +@@ -146,6 +146,13 @@ static bool verify(void) { + goto err; + } + ++ // check magic ++ if (ctx.attest.magic != TPM2_GENERATED_VALUE) { ++ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x", ++ ctx.attest.magic, TPM2_GENERATED_VALUE); ++ return false; ++ } ++ + // Also ensure digest from quote matches PCR digest + if (ctx.flags.pcr) { + if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest, +-- +2.45.2 + diff --git a/SOURCES/0006-tpm2_setprimarypolicy-Fix-resource-leak.patch b/SOURCES/0006-tpm2_setprimarypolicy-Fix-resource-leak.patch new file mode 100644 index 0000000..945fedc --- /dev/null +++ b/SOURCES/0006-tpm2_setprimarypolicy-Fix-resource-leak.patch @@ -0,0 +1,28 @@ +From d7c541d839d6c470fbd273d0c482091a1fe59fe6 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 18 Jun 2024 15:42:13 +0200 +Subject: [PATCH 6/6] tpm2_setprimarypolicy: Fix resource leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +--- + tools/tpm2_setprimarypolicy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/tpm2_setprimarypolicy.c b/tools/tpm2_setprimarypolicy.c +index 140a8083..459d3d03 100644 +--- a/tools/tpm2_setprimarypolicy.c ++++ b/tools/tpm2_setprimarypolicy.c +@@ -134,6 +134,7 @@ static tool_rc process_setprimarypolicy_input(ESYS_CONTEXT *ectx, + (*auth_policy)->buffer, &((*auth_policy)->size)); + if (!result) { + LOG_ERR("Failed loading policy digest from path"); ++ free(*auth_policy); + return tool_rc_general_error; + } + } +-- +2.45.2 + diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec index 837b621..70c694f 100644 --- a/SPECS/tpm2-tools.spec +++ b/SPECS/tpm2-tools.spec @@ -2,7 +2,7 @@ Name: tpm2-tools Version: 5.2 -Release: 3%{?candidate:.%{candidate}}%{?dist} +Release: 4%{?candidate:.%{candidate}}%{?dist} Summary: A bunch of TPM testing toolS build upon tpm2-tss License: BSD @@ -38,6 +38,12 @@ Patch115: 0015-tpm-errata-switch-to-twos-complement.patch Patch116: 0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch Patch117: 0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch Patch118: add_pregenerated_doc.patch +Patch201: 0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch +Patch202: 0002-tpm2_tool.c-Fix-missing-include-for-basename.patch +Patch203: 0003-tpm2_nvread-fix-input-handling-no-nv-index.patch +Patch204: 0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch +Patch205: 0005-tpm2_checkquote-Fix-check-of-magic-number.patch +Patch206: 0006-tpm2_setprimarypolicy-Fix-resource-leak.patch BuildRequires: git BuildRequires: make @@ -89,6 +95,15 @@ autoreconf -i %{_mandir}/man1/tss2_*.1.gz %changelog +* Wed Jun 19 2024 Štěpán Horáček - 5.2-4 +- Backport upstream fixes. +- tpm2_checkquote: Fix check of magic number. (CVE-2024-29038) +- tpm2_checkquote: Add comparison of pcr selection. (CVE-2024-29039) +- Fix check of magic number. + Resolves: RHEL-23198 + Resolves: RHEL-41031 + Resolves: RHEL-41035 + * Wed May 24 2023 Štěpán Horáček - 5.2-3 - Backport fixes. - Add tpm2_encodeobject tool.