packages/swtpm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-23645

Browse Source 
(cherry picked from commit ee6e4b6e28fceb4667fb1ecc9e14e913ce4d6b4f)
This commit is contained in:
starlet-dx 2022-03-09 18:10:12 +08:00 committed by openeuler-sync-bot
parent 23fa6dd966
commit 95cb4eea14
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
CVE-2022-23645.patch Normal file
View File

@ -0,0 +1,51 @@
From c518445f9fddc786f191f4f5926bf483fa2bd1ff Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially crafted header could cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvfile.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
index dc7cfbf1..0efb9da8 100644
--- a/src/swtpm/swtpm_nvfile.c
+++ b/src/swtpm/swtpm_nvfile.c
@@ -1260,6 +1260,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1285,8 +1286,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;

6
swtpm.spec
View File

@ -12,11 +12,12 @@
Summary: TPM Emulator Summary: TPM Emulator
Name: swtpm Name: swtpm
Version: 0.3.3 Version: 0.3.3
Release: 4 Release: 5
License: BSD License: BSD
Url: http://github.com/stefanberger/swtpm Url: http://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
Patch0: rename-deprecated-libtasn1-types-to-fix-build-error.patch Patch0: rename-deprecated-libtasn1-types-to-fix-build-error.patch
Patch1: CVE-2022-23645.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: autoconf BuildRequires: autoconf
@ -174,6 +175,9 @@ fi
%attr( 755, tss, tss) %{_localstatedir}/lib/swtpm-localca %attr( 755, tss, tss) %{_localstatedir}/lib/swtpm-localca
%changelog %changelog
* Wed Mar 9 2022 yaoxin <yaoxin30@huawei.com> - 0.3.3-5
- Fix CVE-2022-23645
* Wed Feb 16 2022 xu_ping <xuping33@huawei.com> - 0.3.3-4 * Wed Feb 16 2022 xu_ping <xuping33@huawei.com> - 0.3.3-4
- Fix build error - Fix build error