Backport upstream fixes

Includes fixes for CVE-2024-29038 and CVE-2024-29039.

Resolves: RHEL-23198
Resolves: RHEL-41031
Resolves: RHEL-41035

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
Štěpán Horáček 2024-06-19 16:09:43 +02:00
parent 53479d9612
commit acfe6b50eb
7 changed files with 390 additions and 1 deletions

View File

@ -0,0 +1,131 @@
From c2dff7cfac16a857fcd5161d6e171483221ab003 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Sun, 17 Dec 2023 09:53:01 +0100
Subject: [PATCH 1/6] tpm2_sessionconfig fix usage of --disable-continuesession
Conflicts: context change due to missing 6169d8c22
If continue session was disabled a error did occur in the function for
restoring the session context.
Now after usage of an session with continue session disabled the
context will not be saved and the session context file will be
deleted.
In one integration test continue session is now disabled and the
flush for this session is removed.
Fixes: #3295
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
lib/tpm2_session.c | 45 +++++++++++++++++++++++---------
test/integration/tests/unseal.sh | 7 +++--
2 files changed, 37 insertions(+), 15 deletions(-)
diff --git a/lib/tpm2_session.c b/lib/tpm2_session.c
index 60b8643b..3e5503db 100644
--- a/lib/tpm2_session.c
+++ b/lib/tpm2_session.c
@@ -35,6 +35,7 @@ struct tpm2_session {
char *path;
ESYS_CONTEXT *ectx;
bool is_final;
+ bool delete;
} internal;
};
@@ -290,18 +291,23 @@ tool_rc tpm2_session_restore(ESYS_CONTEXT *ctx, const char *path, bool is_final,
dup_path = NULL;
TPMA_SESSION attrs = 0;
+ s->internal.delete = false;
+ s->internal.is_final = is_final;
+ *session = s;
if (ctx) {
-
/* hack this in here, should be done when starting the session */
tmp_rc = tpm2_sess_get_attributes(ctx, handle, &attrs);
- UNUSED(tmp_rc);
+ if (tmp_rc != tool_rc_success) {
+ rc = tmp_rc;
+ LOG_ERR("Can't get session attributes.");
+ goto out;
+ }
+ if ((attrs & TPMA_SESSION_CONTINUESESSION) == 0) {
+ s->internal.delete = true;
+ }
}
- s->internal.is_final = is_final;
-
- *session = s;
-
LOG_INFO("Restored session: ESYS_TR(0x%x) attrs(0x%x)", handle, attrs);
rc = tool_rc_success;
@@ -341,22 +347,35 @@ tool_rc tpm2_session_close(tpm2_session **s) {
}
const char *path = session->internal.path;
- FILE *session_file = path ? fopen(path, "w+b") : NULL;
- if (path && !session_file) {
- LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path,
- strerror(errno));
- rc = tool_rc_general_error;
- goto out;
- }
bool flush = path ? session->internal.is_final : true;
if (flush) {
rc = tpm2_flush_context(session->internal.ectx,
session->output.session_handle);
/* done, use rc to indicate status */
+ goto out2;
+ }
+
+ if ((*s)->internal.delete && path) {
+ if (remove(path)) {
+ LOG_ERR("File \"%s\" can't be deleted.", path);
+ rc = tool_rc_general_error;
+ goto out2;
+ } else {
+ rc = tool_rc_success;
+ goto out2;
+ }
+ }
+
+ FILE *session_file = path ? fopen(path, "w+b") : NULL;
+ if (path && !session_file) {
+ LOG_ERR("Could not open path \"%s\", due to error: \"%s\"", path,
+ strerror(errno));
+ rc = tool_rc_general_error;
goto out;
}
+
/*
* Now write the session_type, handle and auth hash data to disk
*/
diff --git a/test/integration/tests/unseal.sh b/test/integration/tests/unseal.sh
index dd6c2bc6..d0f7104f 100644
--- a/test/integration/tests/unseal.sh
+++ b/test/integration/tests/unseal.sh
@@ -152,10 +152,13 @@ tpm2 sessionconfig enc_session.ctx --disable-encrypt
tpm2 create -Q -C prim.ctx -u seal_key.pub -r seal_key.priv -c seal_key.ctx \
-p sealkeypass -i- <<< $secret -S enc_session.ctx
-tpm2 sessionconfig enc_session.ctx --enable-encrypt
+tpm2 sessionconfig enc_session.ctx --enable-encrypt --disable-continuesession
unsealed=`tpm2 unseal -c seal_key.ctx -p sealkeypass -S enc_session.ctx`
test "$unsealed" == "$secret"
-tpm2 flushcontext enc_session.ctx
+if [ -e enc_session.ctx ]; then
+ echo "enc_session.ctx was not deleted.";
+ exit 1
+fi
exit 0
--
2.45.2

View File

@ -0,0 +1,28 @@
From 2e4d5da9a5e8808b1b075e0bde11c13fdd4c60b3 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 19 Dec 2023 17:24:26 +0100
Subject: [PATCH 2/6] tpm2_tool.c Fix missing include for basename.
tpm2_tool.c did not compile without the include libgen.h on netbsd.
Fixes: #3321
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/tpm2_tool.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/tpm2_tool.c b/tools/tpm2_tool.c
index edd04c83..f59e316a 100644
--- a/tools/tpm2_tool.c
+++ b/tools/tpm2_tool.c
@@ -3,6 +3,7 @@
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
+#include <libgen.h>
#include <openssl/err.h>
#include <openssl/evp.h>
--
2.45.2

View File

@ -0,0 +1,63 @@
From 5b5dd6263f1f2d41f08abd60134396a12756c5e7 Mon Sep 17 00:00:00 2001
From: Bill Roberts <bill.c.roberts+gh@gmail.com>
Date: Sun, 10 Dec 2023 10:26:33 -0600
Subject: [PATCH 3/6] tpm2_nvread: fix input handling no nv index
Fixes:
./tools/tpm2 nvread
WARN: Reading full size of the NV index
ERROR: object string is empty
ERROR: Invalid handle authorization.
ERROR: Unable to run nvread
with:
./tools/tpm2 nvread
ERROR: Must specify NV index argument
Usage: nvread [<options>] <arguments>
Where <options> are:
[ -C | --hierarchy=<value>] [ -o | --output=<value>] [ -s | --size=<value>] [ --offset=<value>]
[ --cphash=<value>] [ --rphash=<value>] [ -n | --name=<value>] [ -P | --auth=<value>]
[ -S | --session=<value>] [ --print-yaml]
Signed-off-by: Bill Roberts <bill.c.roberts+gh@gmail.com>
---
tools/tpm2_nvread.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_nvread.c b/tools/tpm2_nvread.c
index f64d00c1..8f9c61cc 100644
--- a/tools/tpm2_nvread.c
+++ b/tools/tpm2_nvread.c
@@ -24,6 +24,7 @@ struct tpm_nvread_ctx {
TPM2B_NAME precalc_nvname;
UINT32 size_to_read;
UINT32 offset;
+ bool nv_specified;
/*
* Outputs
@@ -192,6 +193,11 @@ static tool_rc check_options(tpm2_option_flags flags) {
return tool_rc_option_error;
}
+ if(!ctx.nv_specified) {
+ LOG_ERR("Must specify NV index argument");
+ return tool_rc_option_error;
+ }
+
/*
* Peculiar to this and some other tools, the object (nvindex) name must
* be specified when only calculating the cpHash.
@@ -266,7 +272,8 @@ static bool on_arg(int argc, char **argv) {
if (!ctx.auth_hierarchy.ctx_path) {
ctx.auth_hierarchy.ctx_path = argv[0];
}
- return on_arg_nv_index(argc, argv, &ctx.nv_index);
+
+ return ctx.nv_specified = on_arg_nv_index(argc, argv, &ctx.nv_index);
}
static bool on_option(char key, char *value) {
--
2.45.2

View File

@ -0,0 +1,86 @@
From 7076608db4b8a2cdcab6ff4bc47c23c935618e3b Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 5 Mar 2024 22:11:38 +0100
Subject: [PATCH 4/6] tpm2_checkquote: Add comparison of pcr selection.
The pcr selection which is passed with the --pcr parameter it not
compared with the attest. So it's possible to fake a valid
attestation.
Fixes: CVE-2024-29039
Signed-off-by: Juergen Repp <juergen_repp@web.de>
Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
---
tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index 6ce086f8..8a2a154e 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
.pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
};
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
+ if (attest_sel->count != pcr_sel->count) {
+ LOG_ERR("Selection sizes do not match.");
+ return false;
+ }
+ for (uint32_t i = 0; i < attest_sel->count; i++) {
+ for (uint32_t j = 0; j < pcr_sel->count; j++) {
+ if (attest_sel->pcrSelections[i].hash ==
+ pcr_sel->pcrSelections[j].hash) {
+ if (attest_sel->pcrSelections[i].sizeofSelect !=
+ pcr_sel->pcrSelections[j].sizeofSelect) {
+ LOG_ERR("Bitmask size does not match");
+ return false;
+ }
+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
+ &pcr_sel->pcrSelections[j].pcrSelect[0],
+ attest_sel->pcrSelections[i].sizeofSelect) != 0) {
+ LOG_ERR("Selection bitmasks do not match");
+ return false;
+ }
+ break;
+ }
+ if (j == pcr_sel->count - 1) {
+ LOG_ERR("Hash selections to not match.");
+ return false;
+ }
+ }
+ }
+ return true;
+}
+
static bool verify(void) {
bool result = false;
@@ -374,7 +405,7 @@ static tool_rc init(void) {
}
TPM2B_ATTEST *msg = NULL;
- TPML_PCR_SELECTION pcr_select;
+ TPML_PCR_SELECTION pcr_select = { 0 };
tpm2_pcrs *pcrs;
tpm2_pcrs temp_pcrs = {};
tool_rc return_value = tool_rc_general_error;
@@ -537,6 +568,14 @@ static tool_rc init(void) {
goto err;
}
+ if (ctx.flags.pcr) {
+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
+ &pcr_select)) {
+ LOG_ERR("PCR selection does not match PCR slection from attest!");
+ goto err;
+ }
+ }
+
// Figure out the digest for this message
res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
msg->size, &ctx.msg_hash);
--
2.45.2

View File

@ -0,0 +1,38 @@
From 0f122ba3f7bdee12f8ee725db41d90e737fb3e49 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 31 Oct 2023 11:29:50 +0100
Subject: [PATCH 5/6] tpm2_checkquote: Fix check of magic number.
It was not checked whether the magic number in the
attest is equal to TPM2_GENERATED_VALUE.
So an malicious attacker could generate arbitrary quote data
which was not detected by tpm2 checkquote.
Fixes: CVE-2024-29038
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/misc/tpm2_checkquote.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index 8a2a154e..5083d855 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -146,6 +146,13 @@ static bool verify(void) {
goto err;
}
+ // check magic
+ if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+ ctx.attest.magic, TPM2_GENERATED_VALUE);
+ return false;
+ }
+
// Also ensure digest from quote matches PCR digest
if (ctx.flags.pcr) {
if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
--
2.45.2

View File

@ -0,0 +1,28 @@
From d7c541d839d6c470fbd273d0c482091a1fe59fe6 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 18 Jun 2024 15:42:13 +0200
Subject: [PATCH 6/6] tpm2_setprimarypolicy: Fix resource leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
tools/tpm2_setprimarypolicy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/tpm2_setprimarypolicy.c b/tools/tpm2_setprimarypolicy.c
index 140a8083..459d3d03 100644
--- a/tools/tpm2_setprimarypolicy.c
+++ b/tools/tpm2_setprimarypolicy.c
@@ -134,6 +134,7 @@ static tool_rc process_setprimarypolicy_input(ESYS_CONTEXT *ectx,
(*auth_policy)->buffer, &((*auth_policy)->size));
if (!result) {
LOG_ERR("Failed loading policy digest from path");
+ free(*auth_policy);
return tool_rc_general_error;
}
}
--
2.45.2

View File

@ -2,7 +2,7 @@
Name: tpm2-tools
Version: 5.2
Release: 3%{?candidate:.%{candidate}}%{?dist}
Release: 4%{?candidate:.%{candidate}}%{?dist}
Summary: A bunch of TPM testing toolS build upon tpm2-tss
License: BSD
@ -38,6 +38,12 @@ Patch115: 0015-tpm-errata-switch-to-twos-complement.patch
Patch116: 0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
Patch117: 0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
Patch118: add_pregenerated_doc.patch
Patch201: 0001-tpm2_sessionconfig-fix-usage-of-disable-continuesess.patch
Patch202: 0002-tpm2_tool.c-Fix-missing-include-for-basename.patch
Patch203: 0003-tpm2_nvread-fix-input-handling-no-nv-index.patch
Patch204: 0004-tpm2_checkquote-Add-comparison-of-pcr-selection.patch
Patch205: 0005-tpm2_checkquote-Fix-check-of-magic-number.patch
Patch206: 0006-tpm2_setprimarypolicy-Fix-resource-leak.patch
BuildRequires: git
BuildRequires: make
@ -89,6 +95,15 @@ autoreconf -i
%{_mandir}/man1/tss2_*.1.gz
%changelog
* Wed Jun 19 2024 Štěpán Horáček <shoracek@redhat.com> - 5.2-4
- Backport upstream fixes.
- tpm2_checkquote: Fix check of magic number. (CVE-2024-29038)
- tpm2_checkquote: Add comparison of pcr selection. (CVE-2024-29039)
- Fix check of magic number.
Resolves: RHEL-23198
Resolves: RHEL-41031
Resolves: RHEL-41035
* Wed May 24 2023 Štěpán Horáček <shoracek@redhat.com> - 5.2-3
- Backport fixes.
- Add tpm2_encodeobject tool.