Backport fixes from upstream

Resolves: CVE-2023-22745
Resolves: rhbz#2160302
Resolves: rhbz#2162611

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
This commit is contained in:
Štěpán Horáček 2023-07-10 11:46:45 +02:00
parent 1525606f19
commit 1362aab239
6 changed files with 307 additions and 1 deletions

View File

@ -0,0 +1,39 @@
From 285667d640b8dd7d2d80e0c5d5fcc44f6abad442 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 27 Apr 2020 16:33:16 +0200
Subject: [PATCH 1/4] ESYS: Fix initialization of app data in Esys_Initialize
(Fixes #1704).
An unintended free of the tcti parameter in cleanup was possible.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_context.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tss2-esys/esys_context.c b/src/tss2-esys/esys_context.c
index b912a688..150a3495 100644
--- a/src/tss2-esys/esys_context.c
+++ b/src/tss2-esys/esys_context.c
@@ -54,15 +54,15 @@ Esys_Initialize(ESYS_CONTEXT ** esys_context, TSS2_TCTI_CONTEXT * tcti,
*esys_context = calloc(1, sizeof(ESYS_CONTEXT));
return_if_null(*esys_context, "Out of memory.", TSS2_ESYS_RC_MEMORY);
+ /* Store the application provided tcti to be return on Esys_GetTcti(). */
+ (*esys_context)->tcti_app_param = tcti;
+
/* Allocate memory for the SYS context */
syssize = Tss2_Sys_GetContextSize(0);
(*esys_context)->sys = calloc(1, syssize);
goto_if_null((*esys_context)->sys, "Error: During malloc.",
TSS2_ESYS_RC_MEMORY, cleanup_return);
- /* Store the application provided tcti to be return on Esys_GetTcti(). */
- (*esys_context)->tcti_app_param = tcti;
-
/* If no tcti was provided, initialize the default one. */
if (tcti == NULL) {
r = Tss2_TctiLdr_Initialize (NULL, &tcti);
--
2.41.0

View File

@ -0,0 +1,139 @@
From 79f62668a31a2da938f83d534a49ad7f9bc144ca Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Jan 2023 11:53:06 -0600
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
The layer handler array was defined as 255, the max number of uint8,
which is the size of the layer field, however valid values are 0-255
allowing for 256 possibilities and thus the array was off by one and
needed to be sized to 256 entries. Update the size and add tests.
Note: previous implementations incorrectly dropped bits on unknown error
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
but earlier implementations returned 255:0xFFFF, dropping the middle
bits, this patch fixes that.
Fixes: CVE-2023-22745
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
2 files changed, 41 insertions(+), 11 deletions(-)
diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
index 93743048..0a64958f 100644
--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
@@ -1,5 +1,8 @@
/* SPDX-License-Identifier: BSD-2-Clause */
-
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <assert.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
@@ -777,7 +780,7 @@ sys_err_handler (TSS2_RC rc)
static struct {
char name[TSS2_ERR_LAYER_NAME_MAX];
TSS2_RC_HANDLER handler;
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
ADD_HANDLER("tpm" , tpm2_ehandler),
ADD_NULL_HANDLER, /* layer 1 is unused */
ADD_NULL_HANDLER, /* layer 2 is unused */
@@ -812,7 +815,7 @@ unknown_layer_handler(TSS2_RC rc)
static __thread char buf[32];
clearbuf(buf);
- catbuf(buf, "0x%X", tpm2_error_get(rc));
+ catbuf(buf, "0x%X", rc);
return buf;
}
@@ -909,19 +912,27 @@ Tss2_RC_Decode(TSS2_RC rc)
catbuf(buf, "%u:", layer);
}
- handler = !handler ? unknown_layer_handler : handler;
-
/*
* Handlers only need the error bits. This way they don't
* need to concern themselves with masking off the layer
* bits or anything else.
*/
- UINT16 err_bits = tpm2_error_get(rc);
- const char *e = err_bits ? handler(err_bits) : "success";
- if (e) {
- catbuf(buf, "%s", e);
+ if (handler) {
+ UINT16 err_bits = tpm2_error_get(rc);
+ const char *e = err_bits ? handler(err_bits) : "success";
+ if (e) {
+ catbuf(buf, "%s", e);
+ } else {
+ catbuf(buf, "0x%X", err_bits);
+ }
} else {
- catbuf(buf, "0x%X", err_bits);
+ /*
+ * we don't want to drop any bits if we don't know what to do with it
+ * so drop the layer byte since we we already have that.
+ */
+ const char *e = unknown_layer_handler(rc >> 8);
+ assert(e);
+ catbuf(buf, "%s", e);
}
return buf;
diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
index 1c8d66c9..9369beda 100644
--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
@@ -198,7 +198,7 @@ test_custom_handler(void **state)
* Test an unknown layer
*/
e = Tss2_RC_Decode(rc);
- assert_string_equal(e, "1:0x2A");
+ assert_string_equal(e, "1:0x100");
}
static void
@@ -281,6 +281,23 @@ test_tcti(void **state)
assert_string_equal(e, "tcti:Fails to connect to next lower layer");
}
+static void
+test_all_FFs(void **state)
+{
+ (void) state;
+
+ const char *e = Tss2_RC_Decode(0xFFFFFFFF);
+ assert_string_equal(e, "255:0xFFFFFF");
+}
+
+static void
+test_all_FFs_set_handler(void **state)
+{
+ (void) state;
+ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
+ Tss2_RC_SetHandler(0xFF, NULL, NULL);
+}
+
/* link required symbol, but tpm2_tool.c declares it AND main, which
* we have a main below for cmocka tests.
*/
@@ -312,6 +329,8 @@ main(int argc, char* argv[])
cmocka_unit_test(test_esys),
cmocka_unit_test(test_mu),
cmocka_unit_test(test_tcti),
+ cmocka_unit_test(test_all_FFs),
+ cmocka_unit_test(test_all_FFs_set_handler)
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.40.1

View File

@ -0,0 +1,31 @@
From b94392537a1ed43918483a2bfa8a90e5fd05354d Mon Sep 17 00:00:00 2001
From: Stefan Thom <mail@LordOfDorks.com>
Date: Fri, 5 Jun 2020 12:11:39 -0700
Subject: [PATCH 2/4] esys: Shared secret calculation is not spec compliant.
Refer to specification part 1 Architecture, Section 20.1 AuditSession
Introduction: If the session was bound when created (see 19.6.10 and
19.6.12), the bind value is lost and any further use of the session for
authorization will require that the authValue be used in the HMAC.
Signed-off-by: Stefan Thom <mail@LordOfDorks.com>
---
src/tss2-esys/esys_tr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index c9ea537a..d14c7d35 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -511,6 +511,8 @@ Esys_TRSess_SetAttributes(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
esys_object->rsrc.misc.rsrc_session.sessionAttributes =
(esys_object->rsrc.misc.rsrc_session.
sessionAttributes & ~mask) | (flags & mask);
+ if (esys_object->rsrc.misc.rsrc_session.sessionAttributes & TPMA_SESSION_AUDIT)
+ esys_object->rsrc.misc.rsrc_session.bound_entity.size = 0;
return TSS2_RC_SUCCESS;
}
--
2.41.0

View File

@ -0,0 +1,45 @@
From 7a56b84b5990b07efd30b5bf79331c74d28df954 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Mon, 22 Mar 2021 16:43:36 -0700
Subject: [PATCH 3/4] esys_iutil.c: Fix issue where nonceTPM was included twice
in hmac
Fixes #2037
TPM2.0 Architecture 19.6.5 Note 7
If the same session (not the first session) is used for decrypt and
encrypt, its nonceTPM is only used once. If different sessions are
used for decrypt and encrypt, both nonceTPMs are included.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
src/tss2-esys/esys_iutil.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c
index 08a9b7df..1910c570 100644
--- a/src/tss2-esys/esys_iutil.c
+++ b/src/tss2-esys/esys_iutil.c
@@ -1265,6 +1265,18 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context,
&encryptNonce);
return_if_error(r, "More than one crypt session");
+ /*
+ * TPM2.0 Architecture 19.6.5 Note 7
+ *
+ * If the same session (not the first session) is used for decrypt and
+ * encrypt, its nonceTPM is only used once. If different sessions are used
+ * for decrypt and encrypt, both nonceTPMs are included
+ */
+ if (decryptNonceIdx && (decryptNonceIdx == encryptNonceIdx)) {
+ decryptNonceIdx = 0;
+ }
+
+
/* Compute cp hash values for command buffer for all used algorithms */
r = iesys_compute_cp_hashtab(esys_context,
--
2.41.0

View File

@ -0,0 +1,42 @@
From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Mon, 12 Jul 2021 10:52:53 +0200
Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation.
If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display
the obfuscated data. Fixes #2115.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
src/tss2-esys/esys_crypto.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c
index aef3e50b..a2b7b937 100644
--- a/src/tss2-esys/esys_crypto.c
+++ b/src/tss2-esys/esys_crypto.c
@@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
size_t data_size_bits = data_size * 8;
size_t rest_size = data_size;
BYTE *kdfa_byte_ptr;
+ BYTE *data_start = data;
if (key == NULL || data == NULL) {
LOG_ERROR("Bad reference");
@@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg,
return_if_error(r, "iesys_crypto_KDFa failed");
/* XOR next data sub block with KDFa result */
kdfa_byte_ptr = kdfa_result;
- LOGBLOB_TRACE(data, data_size, "Parameter data before XOR");
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR");
for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0;
i--)
*data++ ^= *kdfa_byte_ptr++;
- LOGBLOB_TRACE(data, data_size, "Parameter data after XOR");
+ LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR");
rest_size = rest_size < digest_size ? 0 : rest_size - digest_size;
}
return TSS2_RC_SUCCESS;
--
2.41.0

View File

@ -1,6 +1,6 @@
Name: tpm2-tss Name: tpm2-tss
Version: 2.3.2 Version: 2.3.2
Release: 4%{?dist} Release: 5%{?dist}
Summary: TPM2.0 Software Stack Summary: TPM2.0 Software Stack
# The entire source code is under BSD except implementation.h and tpmb.h which # The entire source code is under BSD except implementation.h and tpmb.h which
@ -26,6 +26,11 @@ Patch12: 0001-sys-match-counter-variable-type-for-cmdAuthsArray-co.patch
Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch Patch13: 0001-Return-proper-error-code-on-memory-allocation-failur.patch
Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch Patch14: 0001-esys-fix-hmac-calculation-for-tpm2_clear-command.patch
Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch Patch15: 0001-tctildr-remove-the-private-implementation-of-strndup.patch
Patch16: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Patch17: 0001-ESYS-Fix-initialization-of-app-data-in-Esys_Initiali.patch
Patch18: 0002-esys-Shared-secret-calculation-is-not-spec-compliant.patch
Patch19: 0003-esys_iutil.c-Fix-issue-where-nonceTPM-was-included-t.patch
Patch20: 0004-ESYS-Fix-buffer-overflow-in-xor-parameter-obfuscatio.patch
%global udevrules_prefix 60- %global udevrules_prefix 60-
@ -119,6 +124,11 @@ use tpm2-tss.
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Wed Jun 7 2023 Štěpán Horáček <shoracek@redhat.com> - 2.3.2-5
- Ensure layer number is in bounds
Resolves: rhbz#2160302
Resolves: rhbz#2162611
* Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4 * Tue Apr 20 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 2.3.2-4
- Fix hmac calculation for tpm2_clear command. - Fix hmac calculation for tpm2_clear command.
- Remove private implementation of strndup. - Remove private implementation of strndup.