!45 [sync] PR-41: fix CVE-2024-29038 and CVE-2024-29039

From: @openeuler-sync-bot 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

backport-CVE-2021-3565.patch

@@ -0,0 +1,46 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
+index cfb6f20..f44326c 100644
+--- a/tools/tpm2_import.c
++++ b/tools/tpm2_import.c
+@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
+     TPM2B_DATA enc_sensitive_key = {
+         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+     };
+-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++    if(enc_sensitive_key.size < 16) {
++        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
++        return tool_rc_general_error;
++    }
++
++    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
++    if (ossl_rc != 1) {
++        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
++        return tool_rc_general_error;
++    }
+ 
+     /*
+      * Calculate the object name.
+-- 
+1.8.3.1
+

backport-CVE-2024-29038.patch

@@ -0,0 +1,30 @@
+From c9d57cae9316ab22d37db87a123e9255bfd21112 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 2 May 2024 09:53:57 +0800
+Subject: [PATCH]  init
+
+---
+ tools/misc/tpm2_checkquote.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index ca78238..6d1a9f6 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -115,6 +115,13 @@ static bool verify(void) {
+         goto err;
+     }
+ 
++    // check magic
++    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
++        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
++                ctx.attest.magic, TPM2_GENERATED_VALUE);
++        return false;
++    }
++
+     // Also ensure digest from quote matches PCR digest
+     if (ctx.flags.pcr) {
+         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
+-- 
+2.23.0
+

backport-CVE-2024-29039.patch

@@ -0,0 +1,78 @@
+From accff7c58b4d01aacdb4260b3e2a1e374a2be0df Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 2 May 2024 09:57:07 +0800
+Subject: [PATCH] backport CVE-2024-29039
+
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index 6d1a9f6..c4fdff6 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
++    if (attest_sel->count != pcr_sel->count) {
++        LOG_ERR("Selection sizes do not match.");
++        return false;
++    }
++    for (uint32_t i = 0; i < attest_sel->count; i++) {
++        for (uint32_t j = 0; j < pcr_sel->count; j++) {
++            if (attest_sel->pcrSelections[i].hash ==
++                pcr_sel->pcrSelections[j].hash) {
++                if (attest_sel->pcrSelections[i].sizeofSelect !=
++                        pcr_sel->pcrSelections[j].sizeofSelect) {
++                    LOG_ERR("Bitmask size does not match");
++                    return false;
++                }
++                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
++                           &pcr_sel->pcrSelections[j].pcrSelect[0],
++                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
++                    LOG_ERR("Selection bitmasks do not match");
++                    return false;
++                }
++                break;
++            }
++            if (j == pcr_sel->count - 1) {
++                LOG_ERR("Hash selections to not match.");
++                return false;
++            }
++        }
++    }
++    return true;
++}
++
+ static bool verify(void) {
+ 
+     bool result = false;
+@@ -381,7 +412,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
++    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs *pcrs;
+     tpm2_pcrs temp_pcrs;
+     tool_rc return_value = tool_rc_general_error;
+@@ -544,6 +575,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
++    if (ctx.flags.pcr) {
++        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
++                                   &pcr_select)) {
++            LOG_ERR("PCR selection does not match PCR slection from attest!");
++            goto err;
++        }
++    }
++
+     // Figure out the digest for this message
+     res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);
+-- 
+2.23.0
+

backport-Don-t-assume-end-of-argv-is-NULL.patch

@@ -0,0 +1,43 @@
+From fb1e0d98eca5279bf33304deedd9019b0130393a Mon Sep 17 00:00:00 2001
+From: Erik Larsson <who+github@cnackers.org>
+Date: Sat, 21 Nov 2020 10:59:13 +0100
+Subject: [PATCH] Don't assume end of argv is NULL
+
+On a musl based system argv[optind] && strcmp(...) where optind > argc might read random memory and segfault.
+
+Signed-off-by: Erik Larsson <who+github@cnackers.org>
+---
+ lib/tpm2_options.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
+index e9aaa0364..9fa583c60 100644
+--- a/lib/tpm2_options.c
++++ b/lib/tpm2_options.c
+@@ -300,7 +300,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+             if (argv[optind - 1]) {
+                 if (!strcmp(argv[optind - 1], "--help=no-man") ||
+                     !strcmp(argv[optind - 1], "-h=no-man") ||
+-                    (argv[optind] && !strcmp(argv[optind], "no-man"))) {
++                    (argc < optind && !strcmp(argv[optind], "no-man"))) {
+                     manpager = false;
+                     optind++;
+                 /*
+@@ -309,7 +309,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+                  */
+                 } else if (!strcmp(argv[optind - 1], "--help=man") ||
+                            !strcmp(argv[optind - 1], "-h=man") ||
+-                           (argv[optind] && !strcmp(argv[optind], "man"))) {
++                           (argc < optind && !strcmp(argv[optind], "man"))) {
+                     manpager = true;
+                     explicit_manpager = true;
+                     optind++;
+@@ -318,7 +318,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+                      * argv[0] = "tool name"
+                      * argv[1] = "--help" argv[2] = 0
+                      */
+-                    if (!argv[optind] && argc == 2) {
++                    if (optind >= argc && argc == 2) {
+                         manpager = false;
+                     } else {
+                         /*

backport-clarify-return-values-from-string.patch

@@ -0,0 +1,109 @@
+From d6e7e673a6179400b66339bb5f66b0da87006fb1 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Tue, 21 Dec 2021 13:53:40 -0700
+Subject: [PATCH] lib/tpm2_options.c: clarify return values from string
+ comparisons
+
+See #2890
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/tpm2_options.c | 58 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 21 deletions(-)
+
+diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
+index 8c8af2af7..ab6660dc5 100644
+--- a/lib/tpm2_options.c
++++ b/lib/tpm2_options.c
+@@ -119,8 +119,6 @@ void tpm2_options_free(tpm2_options *opts) {
+ static bool execute_man(char *prog_name, bool show_errors) {
+ 
+     pid_t pid;
+-    int status;
+-
+     if ((pid = fork()) < 0) {
+         LOG_ERR("Could not fork process to execute man, error: %s",
+                 strerror(errno));
+@@ -129,7 +127,6 @@ static bool execute_man(char *prog_name, bool show_errors) {
+ 
+     #define MAX_TOOL_NAME_LEN 64
+     if (pid == 0) {
+-
+         if (!show_errors) {
+             /* redirect manpager errors to stderr */
+             int fd = open("/dev/null", O_WRONLY);
+@@ -141,29 +138,45 @@ static bool execute_man(char *prog_name, bool show_errors) {
+             close(fd);
+         }
+ 
++        /*
++         * Handle the case where tpm2 is specified without tool-name or help
++         */
+         const char *manpage = basename(prog_name);
+-        if (!strcmp(manpage, "tpm2")) {
+-            /*
+-             * Handle the case where tpm2 is specified without tool-name or help
+-             */
++        bool is_only_tpm2 = (strcmp(manpage, "tpm2") == 0);
++        if (is_only_tpm2) {
+             execlp("man", "man", "tpm2", NULL);
+-        } else if (strncmp(manpage, "tpm2_", strlen("tpm2_"))) {
+-            /*
+-             * Handle the case where the tool is specified as tpm2< >tool-name
+-             */
+-            char man_tool_name[MAX_TOOL_NAME_LEN] = {'t','p','m','2','_'};
+-            strncat(man_tool_name, manpage,
++        }
++
++        /*
++         * Handle the case where the tool is specified as tpm2< >tool-name
++         */
++        bool is_tpm2_space_toolname =
++            (strncmp(manpage, "tpm2_", strlen("tpm2_")) != 0);
++        if (is_tpm2_space_toolname) {
++            uint8_t toolname_len =
+                 strlen(manpage) < (MAX_TOOL_NAME_LEN - strlen("tpm2_")) ?
+-                    strlen(manpage) : (MAX_TOOL_NAME_LEN - strlen("tpm2_")));
++                strlen(manpage) : MAX_TOOL_NAME_LEN - strlen("tpm2_");
++
++            char man_tool_name[MAX_TOOL_NAME_LEN] = {'t','p','m','2','_'};
++
++            strncat(man_tool_name, manpage, toolname_len);
+             execlp("man", "man", man_tool_name, NULL);
+-        } else {
+-            /*
+-             * Handle the case where the tool is specified as tpm2<_>tool-name
+-             */
++        }
++
++        /*
++         * Handle the case where the tool is specified as tpm2<_>tool-name
++         */
++        bool is_tpm2_underscore_toolname =
++            (!is_only_tpm2 && !is_tpm2_space_toolname);
++        if (is_tpm2_underscore_toolname) {
+             execlp("man", "man", manpage, NULL);
+         }
+-    } else {
+-        if (waitpid(pid, &status, 0) == -1) {
++    }
++
++    if (pid != 0) {
++        int status;
++        bool is_child_process_incomplete = (waitpid(pid, &status, 0) == -1);
++        if (is_child_process_incomplete) {
+             LOG_ERR("Waiting for child process that executes man failed, error:"
+                     " %s", strerror(errno));
+             return false;
+@@ -524,7 +537,10 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+         if (!did_manpager) {
+             tpm2_print_usage(argv[0], tool_opts);
+         }
+-        if (tcti_conf_option && strcmp(tcti_conf_option, "none")) {
++
++        bool is_tcti_not_none = tcti_conf_option ?
++            (strcmp(tcti_conf_option, "none") != 0) : false;
++        if (is_tcti_not_none) {
+             TSS2_TCTI_INFO *info = NULL;
+             rc_tcti = Tss2_TctiLdr_GetInfo(tcti_conf_option, &info);
+             if (rc_tcti == TSS2_RC_SUCCESS && info) {

tpm2-tools.spec

@@ -1,15 +1,22 @@
 Name:          tpm2-tools
 Version:       5.0
-Release:       1
+Release:       6
 Summary:       A TPM2.0 testing tool based on TPM2.0-TSS
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tools
 Source0:       https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
 
+Patch0:        backport-Don-t-assume-end-of-argv-is-NULL.patch
+Patch1:        backport-CVE-2021-3565.patch
+Patch2:        backport-clarify-return-values-from-string.patch
+Patch3:        backport-CVE-2024-29038.patch
+Patch4:        backport-CVE-2024-29039.patch
+
 BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
 BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt
-BuildRequires: libgcrypt-devel gdb
+BuildRequires: libgcrypt-devel
 Requires:  tpm2-tss >= 2.3.1
+Requires:  tpm2-tools-help = %{version}-%{release}
 Obsoletes: tpm2-tools <= 2.1.1-2
 
 %description
@@ -55,6 +62,21 @@ make check
 %{_mandir}/*/*
 
 %changelog
+* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.0-6
+- fix CVE-2024-29038 CVE-2024-29039
+
+* Fri Dec 16 2022 jinlun <jinlun@huawei.com> - 5.0-5
+- fix build error
+
+* Mon Sep 27 2021 fuanan <fuanan3@huawei.com> - 5.0-4
+- fix CVE-2021-3565
+
+* Mon Jul 26 2021 fuanan <fuanan3@huawei.com> - 5.0-3
+- Remove redundant gdb from BuildRequires
+
+* Fri Apr 30 2021 Hugel <gengqihu1@huawei.com> - 5.0-2
+- fix segmentation fault on tpm2
+
 * Mon Jan 25 2021 panxiaohe <panxiaohe@huawei.com> - 5.0-1
 - update to 5.0