From 0f122ba3f7bdee12f8ee725db41d90e737fb3e49 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 31 Oct 2023 11:29:50 +0100
Subject: [PATCH 5/6] tpm2_checkquote: Fix check of magic number.

It was not checked whether the magic number in the
attest is equal to TPM2_GENERATED_VALUE.
So an malicious attacker could generate arbitrary quote data
which was not detected by tpm2 checkquote.

Fixes: CVE-2024-29038

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 tools/misc/tpm2_checkquote.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index 8a2a154e..5083d855 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -146,6 +146,13 @@ static bool verify(void) {
         goto err;
     }
 
+    // check magic
+    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+                ctx.attest.magic, TPM2_GENERATED_VALUE);
+        return false;
+    }
+
     // Also ensure digest from quote matches PCR digest
     if (ctx.flags.pcr) {
         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
-- 
2.45.2