51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001
|
|
From: jiangfangjie 00559066 <jiangfangjie@huawei.com>
|
|
Date: Tue, 7 Mar 2023 13:18:44 +0800
|
|
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
|
|
& -1018) Check that there are sufficient bytes in the buffer before reading
|
|
the cipherSize from it. Also, reduce the bufferSize variable by the number of
|
|
bytes that make up the cipherSize to avoid reading and writing bytes beyond
|
|
the buffer in subsequent steps that do in-place decryption.
|
|
|
|
This fixes CVE-2023-1017 & CVE-2023-1018.
|
|
|
|
Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
|
|
---
|
|
src/tpm2/CryptUtil.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
|
|
index 002fde0..9b7d56e 100644
|
|
--- a/src/tpm2/CryptUtil.c
|
|
+++ b/src/tpm2/CryptUtil.c
|
|
@@ -830,6 +830,10 @@ CryptParameterDecryption(
|
|
+ sizeof(session->sessionKey.t.buffer)));
|
|
TPM2B_HMAC_KEY key; // decryption key
|
|
UINT32 cipherSize = 0; // size of cipher text
|
|
+
|
|
+ if (leadingSizeInByte > bufferSize)
|
|
+ return TPM_RC_INSUFFICIENT;
|
|
+
|
|
// Retrieve encrypted data size.
|
|
if(leadingSizeInByte == 2)
|
|
{
|
|
@@ -837,6 +841,7 @@ CryptParameterDecryption(
|
|
// data to be decrypted
|
|
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
|
|
buffer = &buffer[2]; // advance the buffer
|
|
+ bufferSize -= 2;
|
|
}
|
|
#ifdef TPM4B
|
|
else if(leadingSizeInByte == 4)
|
|
@@ -844,6 +849,7 @@ CryptParameterDecryption(
|
|
// the leading size is four bytes so get the four byte size field
|
|
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
|
|
buffer = &buffer[4]; //advance pointer
|
|
+ bufferSize -= 4;
|
|
}
|
|
#endif
|
|
else
|
|
--
|
|
2.21.0.windows.1
|
|
|