packages/libtpms
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 [sync] PR-34: Fix CVE-2023--1018 and CVE-2023-1017

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan
This commit is contained in:
openeuler-ci-bot 2023-05-17 12:54:26 +00:00 committed by Gitee
commit 7c82545233
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libtpms.spec
View File

@ -6,7 +6,7 @@
%define name libtpms %define name libtpms
%define versionx 0.7.3 %define versionx 0.7.3
%define release 7 %define release 8
# Valid crypto subsystems are 'freebl' and 'openssl' # Valid crypto subsystems are 'freebl' and 'openssl'
%if "%{?crypto_subsystem}" == "" %if "%{?crypto_subsystem}" == ""
@ -40,6 +40,7 @@ Patch10: tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
Patch11: tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch Patch11: tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch
Patch12: tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch Patch12: tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch
Patch13: tpm2-Restore-original-value-if-unmarsalled-value-was.patch Patch13: tpm2-Restore-original-value-if-unmarsalled-value-was.patch
Patch14: tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
%if "%{crypto_subsystem}" == "openssl" %if "%{crypto_subsystem}" == "openssl"
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -132,6 +133,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Wed May 17 2023 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-8
- fix CVE-2023--1018 and CVE-2023-1017
* Wed May 18 2022 yezengruan <yezengruan@huawei.com> - 0.7.3-7 * Wed May 18 2022 yezengruan <yezengruan@huawei.com> - 0.7.3-7
- tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size - tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size
- tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks - tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks

50
tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch Normal file
View File

@ -0,0 +1,50 @@
From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001
From: jiangfangjie 00559066 <jiangfangjie@huawei.com>
Date: Tue, 7 Mar 2023 13:18:44 +0800
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
& -1018) Check that there are sufficient bytes in the buffer before reading
the cipherSize from it. Also, reduce the bufferSize variable by the number of
bytes that make up the cipherSize to avoid reading and writing bytes beyond
the buffer in subsequent steps that do in-place decryption.
This fixes CVE-2023-1017 & CVE-2023-1018.
Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
---
src/tpm2/CryptUtil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
index 002fde0..9b7d56e 100644
--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ sizeof(session->sessionKey.t.buffer)));
TPM2B_HMAC_KEY key; // decryption key
UINT32 cipherSize = 0; // size of cipher text
+
+ if (leadingSizeInByte > bufferSize)
+ return TPM_RC_INSUFFICIENT;
+
// Retrieve encrypted data size.
if(leadingSizeInByte == 2)
{
@@ -837,6 +841,7 @@ CryptParameterDecryption(
// data to be decrypted
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
buffer = &buffer[2]; // advance the buffer
+ bufferSize -= 2;
}
#ifdef TPM4B
else if(leadingSizeInByte == 4)
@@ -844,6 +849,7 @@ CryptParameterDecryption(
// the leading size is four bytes so get the four byte size field
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
buffer = &buffer[4]; //advance pointer
+ bufferSize -= 4;
}
#endif
else
--
2.21.0.windows.1