packages/libtpms
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023--1018 and CVE-2023-1017

Browse Source 
(cherry picked from commit 899999ff567fa4c5c2b4edc8c95eebd8d070df8b)
This commit is contained in:
jiangfangjie 2023-05-17 15:54:25 +08:00 committed by openeuler-sync-bot
parent cc00c28a1c
commit e779342288
2 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libtpms.spec
View File

@ -6,7 +6,7 @@
%define name libtpms %define name libtpms
%define versionx 0.7.3 %define versionx 0.7.3
%define release 7 %define release 8
# Valid crypto subsystems are 'freebl' and 'openssl' # Valid crypto subsystems are 'freebl' and 'openssl'
%if "%{?crypto_subsystem}" == "" %if "%{?crypto_subsystem}" == ""
@ -40,6 +40,7 @@ Patch10: tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
Patch11: tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch Patch11: tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch
Patch12: tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch Patch12: tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch
Patch13: tpm2-Restore-original-value-if-unmarsalled-value-was.patch Patch13: tpm2-Restore-original-value-if-unmarsalled-value-was.patch
Patch14: tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
%if "%{crypto_subsystem}" == "openssl" %if "%{crypto_subsystem}" == "openssl"
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -132,6 +133,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Wed May 17 2023 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-8
- fix CVE-2023--1018 and CVE-2023-1017
* Wed May 18 2022 yezengruan <yezengruan@huawei.com> - 0.7.3-7 * Wed May 18 2022 yezengruan <yezengruan@huawei.com> - 0.7.3-7
- tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size - tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size
- tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks - tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks

50
tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch Normal file
View File

@ -0,0 +1,50 @@
From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001
From: jiangfangjie 00559066 <jiangfangjie@huawei.com>
Date: Tue, 7 Mar 2023 13:18:44 +0800
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
& -1018) Check that there are sufficient bytes in the buffer before reading
the cipherSize from it. Also, reduce the bufferSize variable by the number of
bytes that make up the cipherSize to avoid reading and writing bytes beyond
the buffer in subsequent steps that do in-place decryption.
This fixes CVE-2023-1017 & CVE-2023-1018.
Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
---
src/tpm2/CryptUtil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
index 002fde0..9b7d56e 100644
--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ sizeof(session->sessionKey.t.buffer)));
TPM2B_HMAC_KEY key; // decryption key
UINT32 cipherSize = 0; // size of cipher text
+
+ if (leadingSizeInByte > bufferSize)
+ return TPM_RC_INSUFFICIENT;
+
// Retrieve encrypted data size.
if(leadingSizeInByte == 2)
{
@@ -837,6 +841,7 @@ CryptParameterDecryption(
// data to be decrypted
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
buffer = &buffer[2]; // advance the buffer
+ bufferSize -= 2;
}
#ifdef TPM4B
else if(leadingSizeInByte == 4)
@@ -844,6 +849,7 @@ CryptParameterDecryption(
// the leading size is four bytes so get the four byte size field
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
buffer = &buffer[4]; //advance pointer
+ bufferSize -= 4;
}
#endif
else
--
2.21.0.windows.1