From 3a540d570d265c80dca31bfec23d267cdfa1c294 Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Mon, 12 Jul 2021 10:52:53 +0200 Subject: [PATCH 4/4] ESYS: Fix buffer overflow in xor parameter obfuscation. If trace is activated LOGBLOB_TRACE is called with a wrong pointer to display the obfuscated data. Fixes #2115. Signed-off-by: Juergen Repp --- src/tss2-esys/esys_crypto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/tss2-esys/esys_crypto.c b/src/tss2-esys/esys_crypto.c index aef3e50b..a2b7b937 100644 --- a/src/tss2-esys/esys_crypto.c +++ b/src/tss2-esys/esys_crypto.c @@ -499,6 +499,7 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg, size_t data_size_bits = data_size * 8; size_t rest_size = data_size; BYTE *kdfa_byte_ptr; + BYTE *data_start = data; if (key == NULL || data == NULL) { LOG_ERROR("Bad reference"); @@ -514,11 +515,11 @@ iesys_xor_parameter_obfuscation(TPM2_ALG_ID hash_alg, return_if_error(r, "iesys_crypto_KDFa failed"); /* XOR next data sub block with KDFa result */ kdfa_byte_ptr = kdfa_result; - LOGBLOB_TRACE(data, data_size, "Parameter data before XOR"); + LOGBLOB_TRACE(data_start, data_size, "Parameter data before XOR"); for(size_t i = digest_size < rest_size ? digest_size : rest_size; i > 0; i--) *data++ ^= *kdfa_byte_ptr++; - LOGBLOB_TRACE(data, data_size, "Parameter data after XOR"); + LOGBLOB_TRACE(data_start, data_size, "Parameter data after XOR"); rest_size = rest_size < digest_size ? 0 : rest_size - digest_size; } return TSS2_RC_SUCCESS; -- 2.41.0