Backport fixes from upstream
Resolves: CVE-2023-22745 Resolves: rhbz#2160302 Resolves: rhbz#2162611 Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
parent
1525606f19
commit
1362aab239
@ -0,0 +1,39 @@
|
||||
From 285667d640b8dd7d2d80e0c5d5fcc44f6abad442 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Mon, 27 Apr 2020 16:33:16 +0200
|
||||
Subject: [PATCH 1/4] ESYS: Fix initialization of app data in Esys_Initialize
|
||||
(Fixes #1704).
|
||||
|
||||
An unintended free of the tcti parameter in cleanup was possible.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-esys/esys_context.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_context.c b/src/tss2-esys/esys_context.c
|
||||
index b912a688..150a3495 100644
|
||||
--- a/src/tss2-esys/esys_context.c
|
||||
+++ b/src/tss2-esys/esys_context.c
|
||||
@@ -54,15 +54,15 @@ Esys_Initialize(ESYS_CONTEXT ** esys_context, TSS2_TCTI_CONTEXT * tcti,
|
||||
*esys_context = calloc(1, sizeof(ESYS_CONTEXT));
|
||||
return_if_null(*esys_context, "Out of memory.", TSS2_ESYS_RC_MEMORY);
|
||||
|
||||
+ /* Store the application provided tcti to be return on Esys_GetTcti(). */
|
||||
+ (*esys_context)->tcti_app_param = tcti;
|
||||
+
|
||||
/* Allocate memory for the SYS context */
|
||||
syssize = Tss2_Sys_GetContextSize(0);
|
||||
(*esys_context)->sys = calloc(1, syssize);
|
||||
goto_if_null((*esys_context)->sys, "Error: During malloc.",
|
||||
TSS2_ESYS_RC_MEMORY, cleanup_return);
|
||||
|
||||
- /* Store the application provided tcti to be return on Esys_GetTcti(). */
|
||||
- (*esys_context)->tcti_app_param = tcti;
|
||||
-
|
||||
/* If no tcti was provided, initialize the default one. */
|
||||
if (tcti == NULL) {
|
||||
r = Tss2_TctiLdr_Initialize (NULL, &tcti);
|
||||
--
|
||||
2.41.0
|
||||
|
139
0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Normal file
139
0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Normal file
@ -0,0 +1,139 @@
|
||||
From 79f62668a31a2da938f83d534a49ad7f9bc144ca Mon Sep 17 00:00:00 2001
|
||||
From: William Roberts <william.c.roberts@intel.com>
|
||||
Date: Thu, 19 Jan 2023 11:53:06 -0600
|
||||
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
|
||||
|
||||
The layer handler array was defined as 255, the max number of uint8,
|
||||
which is the size of the layer field, however valid values are 0-255
|
||||
allowing for 256 possibilities and thus the array was off by one and
|
||||
needed to be sized to 256 entries. Update the size and add tests.
|
||||
|
||||
Note: previous implementations incorrectly dropped bits on unknown error
|
||||
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
|
||||
but earlier implementations returned 255:0xFFFF, dropping the middle
|
||||
bits, this patch fixes that.
|
||||
|
||||
Fixes: CVE-2023-22745
|
||||
|
||||
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||
---
|
||||
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
|
||||
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
|
||||
2 files changed, 41 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
|
||||
index 93743048..0a64958f 100644
|
||||
--- a/src/tss2-rc/tss2_rc.c
|
||||
+++ b/src/tss2-rc/tss2_rc.c
|
||||
@@ -1,5 +1,8 @@
|
||||
/* SPDX-License-Identifier: BSD-2-Clause */
|
||||
-
|
||||
+#ifdef HAVE_CONFIG_H
|
||||
+#include "config.h"
|
||||
+#endif
|
||||
+#include <assert.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
@@ -777,7 +780,7 @@ sys_err_handler (TSS2_RC rc)
|
||||
static struct {
|
||||
char name[TSS2_ERR_LAYER_NAME_MAX];
|
||||
TSS2_RC_HANDLER handler;
|
||||
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
|
||||
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
|
||||
ADD_HANDLER("tpm" , tpm2_ehandler),
|
||||
ADD_NULL_HANDLER, /* layer 1 is unused */
|
||||
ADD_NULL_HANDLER, /* layer 2 is unused */
|
||||
@@ -812,7 +815,7 @@ unknown_layer_handler(TSS2_RC rc)
|
||||
static __thread char buf[32];
|
||||
|
||||
clearbuf(buf);
|
||||
- catbuf(buf, "0x%X", tpm2_error_get(rc));
|
||||
+ catbuf(buf, "0x%X", rc);
|
||||
|
||||
return buf;
|
||||
}
|
||||
@@ -909,19 +912,27 @@ Tss2_RC_Decode(TSS2_RC rc)
|
||||
catbuf(buf, "%u:", layer);
|
||||
}
|
||||
|
||||
- handler = !handler ? unknown_layer_handler : handler;
|
||||
-
|
||||
/*
|
||||
* Handlers only need the error bits. This way they don't
|
||||
* need to concern themselves with masking off the layer
|
||||
* bits or anything else.
|
||||
*/
|
||||
- UINT16 err_bits = tpm2_error_get(rc);
|
||||
- const char *e = err_bits ? handler(err_bits) : "success";
|
||||
- if (e) {
|
||||
- catbuf(buf, "%s", e);
|
||||
+ if (handler) {
|
||||
+ UINT16 err_bits = tpm2_error_get(rc);
|
||||
+ const char *e = err_bits ? handler(err_bits) : "success";
|
||||
+ if (e) {
|
||||
+ catbuf(buf, "%s", e);
|
||||
+ } else {
|
||||
+ catbuf(buf, "0x%X", err_bits);
|
||||
+ }
|
||||
} else {
|
||||
- catbuf(buf, "0x%X", err_bits);
|
||||
+ /*
|
||||
+ * we don't want to drop any bits if we don't know what to do with it
|
||||
+ * so drop the layer byte since we we already have that.
|
||||
+ */
|
||||
+ const char *e = unknown_layer_handler(rc >> 8);
|
||||
+ assert(e);
|
||||
+ catbuf(buf, "%s", e);
|
||||
}
|
||||
|
||||
return buf;
|
||||
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
|
||||
index 1c8d66c9..9369beda 100644
|
||||
--- a/test/unit/test_tss2_rc.c
|
||||
+++ b/test/unit/test_tss2_rc.c
|
||||
@@ -198,7 +198,7 @@ test_custom_handler(void **state)
|
||||
* Test an unknown layer
|
||||
*/
|
||||
e = Tss2_RC_Decode(rc);
|
||||
- assert_string_equal(e, "1:0x2A");
|
||||
+ assert_string_equal(e, "1:0x100");
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -281,6 +281,23 @@ test_tcti(void **state)
|
||||
assert_string_equal(e, "tcti:Fails to connect to next lower layer");
|
||||
}
|
||||
|
||||
+static void
|
||||
+test_all_FFs(void **state)
|
||||
+{
|
||||
+ (void) state;
|
||||
+
|
||||
+ const char *e = Tss2_RC_Decode(0xFFFFFFFF);
|
||||
+ assert_string_equal(e, "255:0xFFFFFF");
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+test_all_FFs_set_handler(void **state)
|
||||
+{
|
||||
+ (void) state;
|
||||
+ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
|
||||
+ Tss2_RC_SetHandler(0xFF, NULL, NULL);
|
||||
+}
|
||||
+
|
||||
/* link required symbol, but tpm2_tool.c declares it AND main, which
|
||||
* we have a main below for cmocka tests.
|
||||
*/
|
||||
@@ -312,6 +329,8 @@ main(int argc, char* argv[])
|
||||
cmocka_unit_test(test_esys),
|
||||
cmocka_unit_test(test_mu),
|
||||
cmocka_unit_test(test_tcti),
|
||||
+ cmocka_unit_test(test_all_FFs),
|
||||
+ cmocka_unit_test(test_all_FFs_set_handler)
|
||||
};
|
||||
|
||||
return cmocka_run_group_tests(tests, NULL, NULL);
|
||||
--
|
||||
2.40.1
|
||||
|
@ -0,0 +1,31 @@
|
||||
From b94392537a1ed43918483a2bfa8a90e5fd05354d Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Thom <mail@LordOfDorks.com>
|
||||
Date: Fri, 5 Jun 2020 12:11:39 -0700
|
||||
Subject: [PATCH 2/4] esys: Shared secret calculation is not spec compliant.
|
||||
|
||||
Refer to specification part 1 Architecture, Section 20.1 AuditSession
|
||||
Introduction: If the session was bound when created (see 19.6.10 and
|
||||
19.6.12), the bind value is lost and any further use of the session for
|
||||
authorization will require that the authValue be used in the HMAC.
|
||||
|
||||
Signed-off-by: Stefan Thom <mail@LordOfDorks.com>
|
||||
---
|
||||
src/tss2-esys/esys_tr.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
|
||||
index c9ea537a..d14c7d35 100644
|
||||
--- a/src/tss2-esys/esys_tr.c
|
||||
+++ b/src/tss2-esys/esys_tr.c
|
||||
@@ -511,6 +511,8 @@ Esys_TRSess_SetAttributes(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
|
||||
esys_object->rsrc.misc.rsrc_session.sessionAttributes =
|
||||
(esys_object->rsrc.misc.rsrc_session.
|
||||
sessionAttributes & ~mask) | (flags & mask);
|
||||
+ if (esys_object->rsrc.misc.rsrc_session.sessionAttributes & TPMA_SESSION_AUDIT)
|
||||
+ esys_object->rsrc.misc.rsrc_session.bound_entity.size = 0;
|
||||
return TSS2_RC_SUCCESS;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,45 @@
|
||||
From 7a56b84b5990b07efd30b5bf79331c74d28df954 Mon Sep 17 00:00:00 2001
|
||||
From: Imran Desai <imran.desai@intel.com>
|
||||
Date: Mon, 22 Mar 2021 16:43:36 -0700
|
||||
Subject: [PATCH 3/4] esys_iutil.c: Fix issue where nonceTPM was included twice
|
||||
in hmac
|
||||
|
||||
Fixes #2037
|
||||
|
||||
TPM2.0 Architecture 19.6.5 Note 7
|
||||
|
||||
If the same session (not the first session) is used for decrypt and
|
||||
encrypt, its nonceTPM is only used once. If different sessions are
|
||||
used for decrypt and encrypt, both nonceTPMs are included.
|
||||
|
||||
Signed-off-by: Imran Desai <imran.desai@intel.com>
|
||||
---
|
||||
src/tss2-esys/esys_iutil.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
|
||||
index 08a9b7df..1910c570 100644
|
||||
--- a/src/tss2-esys/esys_iutil.c
|
||||
+++ b/src/tss2-esys/esys_iutil.c
|
||||
@@ -1265,6 +1265,18 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
|
||||
&encryptNonce);
|
||||
return_if_error(r, "More than one crypt session");
|
||||
|
||||
+ /*
|
||||
+ * TPM2.0 Architecture 19.6.5 Note 7
|
||||
+ *
|
||||
+ * If the same session (not the first session) is used for decrypt and
|
||||
+ * encrypt, its nonceTPM is only used once. If different sessions are used
|
||||
+ * for decrypt and encrypt, both nonceTPMs are included
|
||||
+ */
|
||||
+ if (decryptNonceIdx && (decryptNonceIdx == encryptNonceIdx)) {
|
||||
+ decryptNonceIdx = 0;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
/* Compute cp hash values for command buffer for all used algorithms */
|
||||
|
||||
r = iesys_compute_cp_hashtab(esys_context,
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,42 @@
|
||||
From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Mon, 12 Jul 2021 10:52:53 +0200
|
||||
Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation.
|
||||
|
||||
If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display
|
||||
the obfuscated data. Fixes #2115.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
src/tss2-esys/esys_crypto.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
|
||||
index aef3e50b..a2b7b937 100644
|
||||
--- a/src/tss2-esys/esys_crypto.c
|
||||
+++ b/src/tss2-esys/esys_crypto.c
|
||||
@@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
|
||||
size_t data_size_bits = data_size * 8;
|
||||
size_t rest_size = data_size;
|
||||
BYTE *kdfa_byte_ptr;
|
||||
+ BYTE *data_start = data;
|
||||
|
||||
if (key == NULL || data == NULL) {
|
||||
LOG_ERROR("Bad reference");
|
||||
@@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
|
||||
return_if_error(r, "iesys_crypto_KDFa failed");
|
||||
/* XOR next data sub block with KDFa result */
|
||||
kdfa_byte_ptr = kdfa_result;
|
||||
- LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
|
||||
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR");
|
||||
for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
|
||||
i--)
|
||||
*data++ ^= *kdfa_byte_ptr++;
|
||||
- LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
|
||||
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR");
|
||||
rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
|
||||
}
|
||||
return TSS2_RC_SUCCESS;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,6 +1,6 @@
|
||||
Name: tpm2-tss
|
||||
Version: 2.3.2
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: TPM2.0 Software Stack
|
||||
|
||||
# The entire source code is under BSD except implementation.h and tpmb.h which
|
||||
@ -26,6 +26,11 @@ Patch12: 0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
|
||||
Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch
|
||||
Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
|
||||
Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch
|
||||
Patch16: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
|
||||
Patch17: 0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
|
||||
Patch18: 0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
|
||||
Patch19: 0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
|
||||
Patch20: 0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
|
||||
|
||||
%global udevrules_prefix 60-
|
||||
|
||||
@ -119,6 +124,11 @@ use tpm2-tss.
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Jun 7 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-5
|
||||
- Ensure layer number is in bounds
|
||||
Resolves: rhbz#2160302
|
||||
Resolves: rhbz#2162611
|
||||
|
||||
* Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
|
||||
- Fix hmac calculation for tpm2_clear command.
|
||||
- Remove private implementation of strndup.
|
||||
|
Loading…
Reference in New Issue
Block a user