tpm2: Initialize a whole OBJECT before using it and NVMarshal: Handle index orderly RAM without 0-sized

terminating node fix CVE-2021-3746 Signed-off-by: jiangfangjie <jiangfangjie@huawei.com> Signed-off-by: yezengruan <yezengruan@huawei.com> (cherry picked from commit 0bf6927a2899a9ff18d5bada3f5574fbe7f02b62)
2021-11-10 17:37:04 +08:00 · 2021-11-10 17:37:04 +08:00 · 384d9de9a1
commit 384d9de9a1
parent c768c3b62b
3 changed files with 102 additions and 4 deletions
--- a/libtpms.spec
+++ b/libtpms.spec
@ -6,7 +6,7 @@
 %define name      libtpms
 %define versionx  0.7.3
-%define release   5
+%define release   6
 # Valid crypto subsystems are 'freebl' and 'openssl'
 %if "%{?crypto_subsystem}" == ""
@ -19,7 +19,7 @@
 Summary: Library providing Trusted Platform Module (TPM) functionality
 Name:           %{name}
 Version:        %{versionx}
-Release:        4
+Release:        %{release}
 License:        BSD
 Group:          Development/Libraries
 Url:            http://github.com/stefanberger/libtpms
@ -34,6 +34,8 @@ Patch4: tpm2-rev155-Add-new-RsaAdjustPrimeCandidate-code.patch
 Patch5: tpm2-Introduce-SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_FI.patch
 Patch6: tpm2-Pass-SEED_COMPAT_LEVEL-to-CryptAdjustPrimeCandi.patch
 Patch7: tpm2-Activate-SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_FIX.patch
 Patch8: tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
 Patch9: tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
 %if "%{crypto_subsystem}" == "openssl"
 BuildRequires:  openssl-devel
@ -126,9 +128,15 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
 %postun -p /sbin/ldconfig
 %changelog
-* Mon Feb 14 2022 imxcc <xingchaochao@huawei.com> - 0.7.3-5
+* Mon Feb 14 2022 imxcc <xingchaochao@huawei.com> - 0.7.3-6
 - fix bare word "debug" in spec
 * Wed Nov 10 2021 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-5
 -TYPE: CVE
 -ID:NA
 -ID:NA
 -DESC: fix CVE-2021-3746
 * Tue May 11 2021 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-4
 -TYPE: CVE
 -ID:NA
--- a/tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
+++ b/tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
@ -0,0 +1,34 @@
 From ea62fd9679f8c6fc5e79471b33cfbd8227bfed72 Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.vnet.ibm.com>
 Date: Thu, 22 Jul 2021 21:23:58 -0400
 Subject: [PATCH] tpm2: Initialize a whole OBJECT before using it
 Initialize a whole OBJECT before using it. This is necessary since
 an OBJECT may also be used as a HASH_OBJECT via the ANY_OBJECT
 union and that HASH_OBJECT can leave bad size inidicators in TPM2B
 buffer in the OBJECT. To get rid of this problem we reset the whole
 OBJECT to 0 before using it. This is as if the memory for the
 OBJECT was just initialized.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/tpm2/Object.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c
 index ab50348..967105f 100644
 --- a/src/tpm2/Object.c
 +++ b/src/tpm2/Object.c
@@ -284,7 +284,8 @@ FindEmptyObjectSlot(
 		    if(handle)
 			*handle = i + TRANSIENT_FIRST;
 		    // Initialize the object attributes
 -		    MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
 +		    // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
 +		    MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object
 		    return object;
 		}
 	}
 -- 
 2.21.0.windows.1
--- a/tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
+++ b/tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
@ -0,0 +1,56 @@
 From 1fb6cd9b8df05b5d6e381b31215193d6ada969df Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.vnet.ibm.com>
 Date: Fri, 23 Jul 2021 13:29:00 -0400
 Subject: [PATCH] tpm2: NVMarshal: Handle index orderly RAM without 0-sized
 terminating node
 The NVRAM entries in s_indexOrderlyRam array do not need to contain a
 0-sized terminating node. Instead, the entries may fill up this 512
 byte array so that no NV_RAM_HEADER structure fits anymore. The fact
 that no more NV_RAM_HEADER structure fits is also an indicator for the
 last entry. We need to account for this in the code marshalling and
 unmarshalling the entries so that we stop marshalling the entries
 then and similarly stop unmarshalling.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/tpm2/NVMarshal.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
 index 2b2d84a..430f481 100644
 --- a/src/tpm2/NVMarshal.c
 +++ b/src/tpm2/NVMarshal.c
@@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size,
                                      datasize, buffer, size);
         }
         offset += nrh.size;
 +        if (offset + sizeof(NV_RAM_HEADER) > array_size) {
 +            /* nothing will fit anymore and there won't be a 0-sized
 +             * terminating node (@1).
 +             */
 +            break;
 +        }
     }
     written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size);
@@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size,
          */
         nrhp = array + offset;
 +        if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) {
 +            /* this case can occur with the previous entry filling up the
 +             * space; in this case there will not be a 0-sized terminating
 +             * node (see @1 above). We clear the rest of our space.
 +             */
 +            if (array_size > offset)
 +                memset(nrhp, 0, array_size - offset);
 +            break;
 +        }
 +
         /* write the NVRAM header;
            nrh->size holds the complete size including data;
            nrh->size = 0 indicates the end */
 -- 
 2.21.0.windows.1