fix CVE-2024-29038 and CVE-2024-29039

2024-05-02 10:26:37 +08:00 · 2024-05-02 10:26:37 +08:00 · 56564eab11
commit 56564eab11
parent 5d2c2a8596
3 changed files with 128 additions and 1 deletions
--- a/backport-CVE-2024-29038.patch
+++ b/backport-CVE-2024-29038.patch
@ -0,0 +1,37 @@
+From 66d922d6547b7b4fe4f274fb2ec10b376e0e259 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Thu, 2 May 2024 09:00:17 +0800
+Subject: [PATCH] tpm2_checkquote: Fix check of magic number.
+It was not checked whether the magic number in the
+attest is equal to TPM2_GENERATED_VALUE.
+So an malicious attacker could generate arbitrary quote data
+which was not detected by tpm2 checkquote.
+
+Fixes: CVE-2024-29038
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ tools/misc/tpm2_checkquote.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index fe8ef11..b3947e7 100644
+--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
+@@ -128,6 +128,13 @@ static bool verify(void) {
+         goto err;
+     }
+ 
+    // check magic
+    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+                ctx.attest.magic, TPM2_GENERATED_VALUE);
+        return false;
+    }
+
+     // Also ensure digest from quote matches PCR digest
+     if (ctx.flags.pcr) {
+         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
+-- 
+2.23.0
+
--- a/backport-CVE-2024-29039.patch
+++ b/backport-CVE-2024-29039.patch
@ -0,0 +1,85 @@
+From 98599df9392a346216c5a059b8d35271286100bb Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Thu, 2 May 2024 09:10:01 +0800
+Subject: [PATCH] tpm2_checkquote: Add comparison of pcr selection.
+The pcr selection which is passed with the --pcr parameter it not
+compared with the attest. So it's possible to fake a valid
+attestation.
+
+Fixes: CVE-2024-29039
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index b3947e7..81de000 100644
+--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
+@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
+    if (attest_sel->count != pcr_sel->count) {
+        LOG_ERR("Selection sizes do not match.");
+        return false;
+    }
+    for (uint32_t i = 0; i < attest_sel->count; i++) {
+        for (uint32_t j = 0; j < pcr_sel->count; j++) {
+            if (attest_sel->pcrSelections[i].hash ==
+                pcr_sel->pcrSelections[j].hash) {
+                if (attest_sel->pcrSelections[i].sizeofSelect !=
+                        pcr_sel->pcrSelections[j].sizeofSelect) {
+                    LOG_ERR("Bitmask size does not match");
+                    return false;
+                }
+                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
+                           &pcr_sel->pcrSelections[j].pcrSelect[0],
+                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
+                    LOG_ERR("Selection bitmasks do not match");
+                    return false;
+                }
+                break;
+            }
+            if (j == pcr_sel->count - 1) {
+                LOG_ERR("Hash selections to not match.");
+                return false;
+            }
+        }
+    }
+    return true;
+}
+
+ static bool verify(void) {
+ 
+     bool result = false;
+@@ -394,7 +425,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
+    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs *pcrs;
+     tpm2_pcrs temp_pcrs = {};
+     tool_rc return_value = tool_rc_general_error;
+@@ -557,6 +588,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
+    if (ctx.flags.pcr) {
+        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
+                                   &pcr_select)) {
+            LOG_ERR("PCR selection does not match PCR slection from attest!");
+            goto err;
+        }
+    }
+
+     // Figure out the digest for this message
+     res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);
+-- 
+2.23.0
+
--- a/tpm2-tools.spec
+++ b/tpm2-tools.spec
@ -1,11 +1,13 @@
 Name:          tpm2-tools
 Version:       5.5
-Release:       1
+Release:       2
 Summary:       A TPM2.0 testing tool based on TPM2.0-TSS
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tools
 Source0:       https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz

+Patch0:        backport-CVE-2024-29038.patch
+Patch1:        backport-CVE-2024-29039.patch

 BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
 BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt
@ -57,6 +59,9 @@ make check
 %{_mandir}/*/*

 %changelog
+* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.5-2
+- fix CVE-2024-29038 CVE-2024-29039
+
 * Tue Jul 18 2023 jinlun <jinlun@huawei.com> - 5.5-1
 - update to 5.5