packages/libtpms
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!32 Fix CVE-2023--1018 and CVE-2023-1017

Browse Source 
From: @jackjf 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan
This commit is contained in:
openeuler-ci-bot 2023-03-15 01:27:24 +00:00 committed by Gitee
commit ede29033ac
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch Normal file
View File

@ -0,0 +1,50 @@
From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001
From: jiangfangjie 00559066 <jiangfangjie@huawei.com>
Date: Tue, 7 Mar 2023 13:18:44 +0800
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
& -1018) Check that there are sufficient bytes in the buffer before reading
the cipherSize from it. Also, reduce the bufferSize variable by the number of
bytes that make up the cipherSize to avoid reading and writing bytes beyond
the buffer in subsequent steps that do in-place decryption.
This fixes CVE-2023-1017 & CVE-2023-1018.
Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
---
src/tpm2/CryptUtil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
index 002fde0..9b7d56e 100644
--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ sizeof(session->sessionKey.t.buffer)));
TPM2B_HMAC_KEY key; // decryption key
UINT32 cipherSize = 0; // size of cipher text
+
+ if (leadingSizeInByte > bufferSize)
+ return TPM_RC_INSUFFICIENT;
+
// Retrieve encrypted data size.
if(leadingSizeInByte == 2)
{
@@ -837,6 +841,7 @@ CryptParameterDecryption(
// data to be decrypted
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
buffer = &buffer[2]; // advance the buffer
+ bufferSize -= 2;
}
#ifdef TPM4B
else if(leadingSizeInByte == 4)
@@ -844,6 +849,7 @@ CryptParameterDecryption(
// the leading size is four bytes so get the four byte size field
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
buffer = &buffer[4]; //advance pointer
+ bufferSize -= 4;
}
#endif
else
--
2.21.0.windows.1

7
libtpms.spec
View File

@ -2,7 +2,7 @@
%define name libtpms %define name libtpms
%define version 0.9.5 %define version 0.9.5
%define release 1 %define release 2
# Valid crypto subsystems are 'freebl' and 'openssl' # Valid crypto subsystems are 'freebl' and 'openssl'
%if "%{?crypto_subsystem}" == "" %if "%{?crypto_subsystem}" == ""
@ -22,6 +22,8 @@ Url: http://github.com/stefanberger/libtpms
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
Provides: libtpms-%{crypto_subsystem} = %{version}-%{release} Provides: libtpms-%{crypto_subsystem} = %{version}-%{release}
Patch0: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
%if "%{crypto_subsystem}" == "openssl" %if "%{crypto_subsystem}" == "openssl"
BuildRequires: openssl-devel BuildRequires: openssl-devel
%else %else
@ -113,6 +115,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Tue Mar 07 2023 jiangfangjie <jiangfangjie@huawei.com> - 0.9.5-2
- fix CVE-2023--1018 and CVE-2023-1017
* Fri Feb 03 2023 yezengruan <yezengruan@huawei.com> - 0.9.5-1 * Fri Feb 03 2023 yezengruan <yezengruan@huawei.com> - 0.9.5-1
- update to version 0.9.5 - update to version 0.9.5