packages/swtpm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!29 swtpm: Check header size indicator against expected size (CVE-2022-23645)

Browse Source 
From: @yezengruan 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2022-07-05 02:53:57 +00:00 committed by Gitee
commit 149f310fe0
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
7 changed files with 63 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
0001-swtpm-Check-header-size-indicator-against-expected-s.patch Normal file
View File

@ -0,0 +1,51 @@
From c518445f9fddc786f191f4f5926bf483fa2bd1ff Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869 (CVE-2022-23645).
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially crafted header could cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvfile.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
index dc7cfbf1..0efb9da8 100644
--- a/src/swtpm/swtpm_nvfile.c
+++ b/src/swtpm/swtpm_nvfile.c
@@ -1260,6 +1260,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1285,8 +1286,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;

0
0001-swtpm-Write-state-files-atomically-using-file-renami.patch → 0002-swtpm-Write-state-files-atomically-using-file-renami.patch
View File

0
0002-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch → 0003-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
View File

0
0003-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch → 0004-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
View File

0
0004-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch → 0005-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
View File

0
0005-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch → 0006-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
View File

21
swtpm.spec
View File

@ -12,17 +12,17 @@
Summary: TPM Emulator Summary: TPM Emulator
Name: swtpm Name: swtpm
Version: 0.3.3 Version: 0.3.3
Release: 5 Release: 6
License: BSD License: BSD
Url: http://github.com/stefanberger/swtpm Url: http://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
Patch00: 0000-rename-deprecated-libtasn1-types-to-fix-build-error.patch Patch00: 0000-rename-deprecated-libtasn1-types-to-fix-build-error.patch
Patch01: 0001-swtpm-Write-state-files-atomically-using-file-renami.patch Patch01: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
Patch02: 0002-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch Patch02: 0002-swtpm-Write-state-files-atomically-using-file-renami.patch
Patch03: 0003-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch Patch03: 0003-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
Patch04: 0004-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch Patch04: 0004-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
Patch05: 0005-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch Patch05: 0005-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
Patch06: 0006-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: autoconf BuildRequires: autoconf
@ -171,10 +171,13 @@ fi
%attr( 755, tss, tss) %{_localstatedir}/lib/swtpm-localca %attr( 755, tss, tss) %{_localstatedir}/lib/swtpm-localca
%changelog %changelog
* Thu Jun 30 2022 yezengruan <yezengruan@huawei.com> - 0.3.3-5 * Thu Jun 30 2022 yezengruan <yezengruan@huawei.com> - 0.3.3-6
- Addressed potential symlink attack issue (CVE-2020-28407) - Addressed potential symlink attack issue (CVE-2020-28407)
* Wed Apr 06 2022 xigaoxinyan <xigaoxinyan@h-partners.com> - 0.3.3-4 * Wed Mar 9 2022 yaoxin <yaoxin30@huawei.com> - 0.3.3-5
- swtpm: Check header size indicator against expected size (CVE-2022-23645)
* Wed Feb 16 2022 xu_ping <xuping33@huawei.com> - 0.3.3-4
- rename deprecated libtasn1 types to fix build error - rename deprecated libtasn1 types to fix build error
* Tue Nov 16 2021 imxcc <xingchaochao@huawei.com> - 0.3.3-3 * Tue Nov 16 2021 imxcc <xingchaochao@huawei.com> - 0.3.3-3