!32 修复CVE-2023-22745

From: @huangzq6 Reviewed-by: @HuaxinLuGitee, @zhujianwei001 Signed-off-by: @HuaxinLuGitee, @zhujianwei001
2023-02-01 09:26:22 +00:00 · 2023-02-01 09:26:22 +00:00 · 5fcb220c6a
commit 5fcb220c6a
parent cee6989b0a c47134161a
2 changed files with 148 additions and 1 deletions
--- a/backport-CVE-2023-22745.patch
+++ b/backport-CVE-2023-22745.patch
@ -0,0 +1,139 @@
+From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Thu, 19 Jan 2023 11:53:06 -0600
+Subject: [PATCH] tss2_rc: ensure layer number is in bounds
+
+The layer handler array was defined as 255, the max number of uint8,
+which is the size of the layer field, however valid values are 0-255
+allowing for 256 possibilities and thus the array was off by one and
+needed to be sized to 256 entries. Update the size and add tests.
+
+Note: previous implementations incorrectly dropped bits on unknown error
+output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
+but earlier implementations returned 255:0xFFFF, dropping the middle
+bits, this patch fixes that.
+
+Fixes: CVE-2023-22745
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/tss2-rc/tss2_rc.c    | 31 +++++++++++++++++++++----------
+ test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
+ 2 files changed, 41 insertions(+), 11 deletions(-)
+
+diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
+index 15ced56..4e14659 100644
+--- a/src/tss2-rc/tss2_rc.c
+++ b/src/tss2-rc/tss2_rc.c
+@@ -1,5 +1,8 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+-
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <assert.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
+ static struct {
+     char name[TSS2_ERR_LAYER_NAME_MAX];
+     TSS2_RC_HANDLER handler;
+-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
+     ADD_HANDLER("tpm" , tpm2_ehandler),
+     ADD_NULL_HANDLER,                       /* layer 1  is unused */
+     ADD_NULL_HANDLER,                       /* layer 2  is unused */
+@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
+     static __thread char buf[32];
+ 
+     clearbuf(buf);
+-    catbuf(buf, "0x%X", tpm2_error_get(rc));
+    catbuf(buf, "0x%X", rc);
+ 
+     return buf;
+ }
+@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
+         catbuf(buf, "%u:", layer);
+     }
+ 
+-    handler = !handler ? unknown_layer_handler : handler;
+-
+     /*
+      * Handlers only need the error bits. This way they don't
+      * need to concern themselves with masking off the layer
+      * bits or anything else.
+      */
+-    UINT16 err_bits = tpm2_error_get(rc);
+-    const char *e = err_bits ? handler(err_bits) : "success";
+-    if (e) {
+-        catbuf(buf, "%s", e);
+    if (handler) {
+        UINT16 err_bits = tpm2_error_get(rc);
+        const char *e = err_bits ? handler(err_bits) : "success";
+        if (e) {
+            catbuf(buf, "%s", e);
+        } else {
+            catbuf(buf, "0x%X", err_bits);
+        }
+     } else {
+-        catbuf(buf, "0x%X", err_bits);
+        /*
+         * we don't want to drop any bits if we don't know what to do with it
+         * so drop the layer byte since we we already have that.
+         */
+        const char *e = unknown_layer_handler(rc >> 8);
+        assert(e);
+        catbuf(buf, "%s", e);
+     }
+ 
+     return buf;
+diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
+index f4249b7..6d8428b 100644
+--- a/test/unit/test_tss2_rc.c
+++ b/test/unit/test_tss2_rc.c
+@@ -199,7 +199,7 @@ test_custom_handler(void **state)
+      * Test an unknown layer
+      */
+     e = Tss2_RC_Decode(rc);
+-    assert_string_equal(e, "1:0x2A");
+    assert_string_equal(e, "1:0x100");
+ }
+ 
+ static void
+@@ -282,6 +282,23 @@ test_tcti(void **state)
+     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
+ }
+ 
+static void
+test_all_FFs(void **state)
+{
+    (void) state;
+
+    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
+    assert_string_equal(e, "255:0xFFFFFF");
+}
+
+static void
+test_all_FFs_set_handler(void **state)
+{
+    (void) state;
+    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
+    Tss2_RC_SetHandler(0xFF, NULL, NULL);
+}
+
+ /* link required symbol, but tpm2_tool.c declares it AND main, which
+  * we have a main below for cmocka tests.
+  */
+@@ -313,6 +330,8 @@ main(int argc, char* argv[])
+             cmocka_unit_test(test_esys),
+             cmocka_unit_test(test_mu),
+             cmocka_unit_test(test_tcti),
+            cmocka_unit_test(test_all_FFs),
+            cmocka_unit_test(test_all_FFs_set_handler)
+     };
+ 
+     return cmocka_run_group_tests(tests, NULL, NULL);
+-- 
+2.27.0
+
--- a/tpm2-tss.spec
+++ b/tpm2-tss.spec
@ -1,11 +1,13 @@
 Name:          tpm2-tss
 Version:       3.2.1
-Release:       1
+Release:       2
 Summary:       TPM2.0 Software Stack
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tss
 Source0:       https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz

+Patch1: backport-CVE-2023-22745.patch
+
 BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel
 BuildRequires: curl >= 7.80.0

@ -70,6 +72,12 @@ make check
 %{_mandir}/man*/*

 %changelog
+* Tue Jan 31 2023 huangzq6 <huangzhenqiang2@huawei.com> - 3.2.1-2
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2023-22745
+
 * Fri Dec 23 2022 jinlun <jinlun@huawei.com> - 3.2.1-1
 - Type:enhancement
 - ID:NA