Fix CVE-2023--1018 and CVE-2023-1017

2023-03-08 10:41:10 +08:00 · 2023-03-08 10:41:10 +08:00 · 2e6a29de25
commit 2e6a29de25
parent aa5637f355
2 changed files with 56 additions and 1 deletions
--- a/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+++ b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
@ -0,0 +1,50 @@
+From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001
+From: jiangfangjie 00559066 <jiangfangjie@huawei.com>
+Date: Tue, 7 Mar 2023 13:18:44 +0800
+Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
+ & -1018) Check that there are sufficient bytes in the buffer before reading
+ the cipherSize from it. Also, reduce the bufferSize variable by the number of
+ bytes that make up the cipherSize to avoid reading and writing bytes beyond
+ the buffer in subsequent steps that do in-place decryption.
+
+This fixes CVE-2023-1017 & CVE-2023-1018.
+
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ src/tpm2/CryptUtil.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
+index 002fde0..9b7d56e 100644
+--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
+@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ 			  + sizeof(session->sessionKey.t.buffer)));
+     TPM2B_HMAC_KEY          key;            // decryption key
+     UINT32                  cipherSize = 0; // size of cipher text
+
+	if (leadingSizeInByte > bufferSize)
+	return TPM_RC_INSUFFICIENT;
+
+     // Retrieve encrypted data size.
+     if(leadingSizeInByte == 2)
+ 	{
+@@ -837,6 +841,7 @@ CryptParameterDecryption(
+ 	    // data to be decrypted
+ 	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
+ 	    buffer = &buffer[2];   // advance the buffer
+		bufferSize -= 2;
+ 	}
+ #ifdef  TPM4B
+     else if(leadingSizeInByte == 4)
+@@ -844,6 +849,7 @@ CryptParameterDecryption(
+ 	    // the leading size is four bytes so get the four byte size field
+ 	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
+ 	    buffer = &buffer[4];   //advance pointer
+		bufferSize -= 4;
+ 	}
+ #endif
+     else
+-- 
+2.21.0.windows.1
+
--- a/libtpms.spec
+++ b/libtpms.spec
@ -2,7 +2,7 @@

 %define name      libtpms
 %define version   0.9.5
-%define release   1
+%define release   2

 # Valid crypto subsystems are 'freebl' and 'openssl'
 %if "%{?crypto_subsystem}" == ""
@ -22,6 +22,8 @@ Url:            http://github.com/stefanberger/libtpms
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Provides:       libtpms-%{crypto_subsystem} = %{version}-%{release}

+Patch0: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+
 %if "%{crypto_subsystem}" == "openssl"
 BuildRequires:  openssl-devel
 %else
@ -113,6 +115,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
 %postun -p /sbin/ldconfig

 %changelog
+* Tue Mar 07 2023 jiangfangjie <jiangfangjie@huawei.com> - 0.9.5-2
+- fix CVE-2023--1018 and CVE-2023-1017
+
 * Fri Feb 03 2023 yezengruan <yezengruan@huawei.com> - 0.9.5-1
 - update to version 0.9.5