!37 [sync] PR-34: Fix CVE-2023--1018 and CVE-2023-1017

From: @openeuler-sync-bot Reviewed-by: @yezengruan Signed-off-by: @yezengruan
2023-05-17 12:54:26 +00:00 · 2023-05-17 12:54:26 +00:00 · 7c82545233
commit 7c82545233
parent cc00c28a1c e779342288
2 changed files with 55 additions and 1 deletions
--- a/libtpms.spec
+++ b/libtpms.spec
@ -6,7 +6,7 @@

 %define name      libtpms
 %define versionx  0.7.3
-%define release   7
+%define release   8

 # Valid crypto subsystems are 'freebl' and 'openssl'
 %if "%{?crypto_subsystem}" == ""
@ -40,6 +40,7 @@ Patch10: tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
 Patch11: tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch
 Patch12: tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch
 Patch13: tpm2-Restore-original-value-if-unmarsalled-value-was.patch
+Patch14: tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch

 %if "%{crypto_subsystem}" == "openssl"
 BuildRequires:  openssl-devel
@ -132,6 +133,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
 %postun -p /sbin/ldconfig

 %changelog
+* Wed May 17 2023 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-8
+- fix CVE-2023--1018 and CVE-2023-1017
+
 * Wed May 18 2022 yezengruan <yezengruan@huawei.com> - 0.7.3-7
 - tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size
 - tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks
--- a/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+++ b/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
@ -0,0 +1,50 @@
+From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001
+From: jiangfangjie 00559066 <jiangfangjie@huawei.com>
+Date: Tue, 7 Mar 2023 13:18:44 +0800
+Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
+ & -1018) Check that there are sufficient bytes in the buffer before reading
+ the cipherSize from it. Also, reduce the bufferSize variable by the number of
+ bytes that make up the cipherSize to avoid reading and writing bytes beyond
+ the buffer in subsequent steps that do in-place decryption.
+
+This fixes CVE-2023-1017 & CVE-2023-1018.
+
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ src/tpm2/CryptUtil.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
+index 002fde0..9b7d56e 100644
+--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
+@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ 			  + sizeof(session->sessionKey.t.buffer)));
+     TPM2B_HMAC_KEY          key;            // decryption key
+     UINT32                  cipherSize = 0; // size of cipher text
+
+	if (leadingSizeInByte > bufferSize)
+	return TPM_RC_INSUFFICIENT;
+
+     // Retrieve encrypted data size.
+     if(leadingSizeInByte == 2)
+ 	{
+@@ -837,6 +841,7 @@ CryptParameterDecryption(
+ 	    // data to be decrypted
+ 	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
+ 	    buffer = &buffer[2];   // advance the buffer
+		bufferSize -= 2;
+ 	}
+ #ifdef  TPM4B
+     else if(leadingSizeInByte == 4)
+@@ -844,6 +849,7 @@ CryptParameterDecryption(
+ 	    // the leading size is four bytes so get the four byte size field
+ 	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
+ 	    buffer = &buffer[4];   //advance pointer
+		bufferSize -= 4;
+ 	}
+ #endif
+     else
+-- 
+2.21.0.windows.1
+