packages/tpm2-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-29038 CVE-2024-29039

Browse Source 
(cherry picked from commit 726694d50276ccb7a6802a9d9bde576a44a269a9)
This commit is contained in:
cenhuilin 2024-05-02 10:01:09 +08:00 committed by openeuler-sync-bot
parent 585a776ea7
commit 465397ad89
3 changed files with 114 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
backport-CVE-2024-29038.patch Normal file
View File

@ -0,0 +1,30 @@
From c9d57cae9316ab22d37db87a123e9255bfd21112 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 2 May 2024 09:53:57 +0800
Subject: [PATCH] init
---
tools/misc/tpm2_checkquote.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index ca78238..6d1a9f6 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -115,6 +115,13 @@ static bool verify(void) {
goto err;
}
+ // check magic
+ if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+ ctx.attest.magic, TPM2_GENERATED_VALUE);
+ return false;
+ }
+
// Also ensure digest from quote matches PCR digest
if (ctx.flags.pcr) {
if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
--
2.23.0

78
backport-CVE-2024-29039.patch Normal file
View File

@ -0,0 +1,78 @@
From accff7c58b4d01aacdb4260b3e2a1e374a2be0df Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 2 May 2024 09:57:07 +0800
Subject: [PATCH] backport CVE-2024-29039
---
tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index 6d1a9f6..c4fdff6 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
.pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
};
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
+ if (attest_sel->count != pcr_sel->count) {
+ LOG_ERR("Selection sizes do not match.");
+ return false;
+ }
+ for (uint32_t i = 0; i < attest_sel->count; i++) {
+ for (uint32_t j = 0; j < pcr_sel->count; j++) {
+ if (attest_sel->pcrSelections[i].hash ==
+ pcr_sel->pcrSelections[j].hash) {
+ if (attest_sel->pcrSelections[i].sizeofSelect !=
+ pcr_sel->pcrSelections[j].sizeofSelect) {
+ LOG_ERR("Bitmask size does not match");
+ return false;
+ }
+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
+ &pcr_sel->pcrSelections[j].pcrSelect[0],
+ attest_sel->pcrSelections[i].sizeofSelect) != 0) {
+ LOG_ERR("Selection bitmasks do not match");
+ return false;
+ }
+ break;
+ }
+ if (j == pcr_sel->count - 1) {
+ LOG_ERR("Hash selections to not match.");
+ return false;
+ }
+ }
+ }
+ return true;
+}
+
static bool verify(void) {
bool result = false;
@@ -381,7 +412,7 @@ static tool_rc init(void) {
}
TPM2B_ATTEST *msg = NULL;
- TPML_PCR_SELECTION pcr_select;
+ TPML_PCR_SELECTION pcr_select = { 0 };
tpm2_pcrs *pcrs;
tpm2_pcrs temp_pcrs;
tool_rc return_value = tool_rc_general_error;
@@ -544,6 +575,14 @@ static tool_rc init(void) {
goto err;
}
+ if (ctx.flags.pcr) {
+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
+ &pcr_select)) {
+ LOG_ERR("PCR selection does not match PCR slection from attest!");
+ goto err;
+ }
+ }
+
// Figure out the digest for this message
res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
msg->size, &ctx.msg_hash);
--
2.23.0

7
tpm2-tools.spec
View File

@ -1,6 +1,6 @@
Name: tpm2-tools Name: tpm2-tools
Version: 5.0 Version: 5.0
Release: 5 Release: 6
Summary: A TPM2.0 testing tool based on TPM2.0-TSS Summary: A TPM2.0 testing tool based on TPM2.0-TSS
License: BSD License: BSD
URL: https://github.com/tpm2-software/tpm2-tools URL: https://github.com/tpm2-software/tpm2-tools
@ -9,6 +9,8 @@ Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{v
Patch0: backport-Don-t-assume-end-of-argv-is-NULL.patch Patch0: backport-Don-t-assume-end-of-argv-is-NULL.patch
Patch1: backport-CVE-2021-3565.patch Patch1: backport-CVE-2021-3565.patch
Patch2: backport-clarify-return-values-from-string.patch Patch2: backport-clarify-return-values-from-string.patch
Patch3: backport-CVE-2024-29038.patch
Patch4: backport-CVE-2024-29039.patch
BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl) BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt
@ -60,6 +62,9 @@ make check
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.0-6
- fix CVE-2024-29038 CVE-2024-29039
* Fri Dec 16 2022 jinlun <jinlun@huawei.com> - 5.0-5 * Fri Dec 16 2022 jinlun <jinlun@huawei.com> - 5.0-5
- fix build error - fix build error