tpm2-tools/backport-CVE-2024-29038.patch

From 66d922d6547b7b4fe4f274fb2ec10b376e0e259 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Thu, 2 May 2024 09:00:17 +0800
Subject: [PATCH] tpm2_checkquote: Fix check of magic number.
It was not checked whether the magic number in the
attest is equal to TPM2_GENERATED_VALUE.
So an malicious attacker could generate arbitrary quote data
which was not detected by tpm2 checkquote.

Fixes: CVE-2024-29038

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 tools/misc/tpm2_checkquote.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index fe8ef11..b3947e7 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -128,6 +128,13 @@ static bool verify(void) {
         goto err;
     }
 
+    // check magic
+    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+                ctx.attest.magic, TPM2_GENERATED_VALUE);
+        return false;
+    }
+
     // Also ensure digest from quote matches PCR digest
     if (ctx.flags.pcr) {
         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
-- 
2.23.0