!32 修复CVE-2023-22745

From: @huangzq6 Reviewed-by: @HuaxinLuGitee, @zhujianwei001 Signed-off-by: @HuaxinLuGitee, @zhujianwei001
2023-02-01 09:26:22 +00:00 · 2023-02-01 09:26:22 +00:00 · 5fcb220c6a
commit 5fcb220c6a
parent cee6989b0a c47134161a
2 changed files with 148 additions and 1 deletions
--- a/backport-CVE-2023-22745.patch
+++ b/backport-CVE-2023-22745.patch
@ -0,0 +1,139 @@
 From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
 From: William Roberts <william.c.roberts@intel.com>
 Date: Thu, 19 Jan 2023 11:53:06 -0600
 Subject: [PATCH] tss2_rc: ensure layer number is in bounds
 The layer handler array was defined as 255, the max number of uint8,
 which is the size of the layer field, however valid values are 0-255
 allowing for 256 possibilities and thus the array was off by one and
 needed to be sized to 256 entries. Update the size and add tests.
 Note: previous implementations incorrectly dropped bits on unknown error
 output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
 but earlier implementations returned 255:0xFFFF, dropping the middle
 bits, this patch fixes that.
 Fixes: CVE-2023-22745
 Signed-off-by: William Roberts <william.c.roberts@intel.com>
 ---
 src/tss2-rc/tss2_rc.c    | 31 +++++++++++++++++++++----------
 test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
 2 files changed, 41 insertions(+), 11 deletions(-)
 diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
 index 15ced56..4e14659 100644
 --- a/src/tss2-rc/tss2_rc.c
 +++ b/src/tss2-rc/tss2_rc.c
@@ -1,5 +1,8 @@
 /* SPDX-License-Identifier: BSD-2-Clause */
 -
 +#ifdef HAVE_CONFIG_H
 +#include "config.h"
 +#endif
 +#include <assert.h>
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
 static struct {
     char name[TSS2_ERR_LAYER_NAME_MAX];
     TSS2_RC_HANDLER handler;
 -} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
 +} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
     ADD_HANDLER("tpm" , tpm2_ehandler),
     ADD_NULL_HANDLER,                       /* layer 1  is unused */
     ADD_NULL_HANDLER,                       /* layer 2  is unused */
@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
     static __thread char buf[32];
     clearbuf(buf);
 -    catbuf(buf, "0x%X", tpm2_error_get(rc));
 +    catbuf(buf, "0x%X", rc);
     return buf;
 }
@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
         catbuf(buf, "%u:", layer);
     }
 -    handler = !handler ? unknown_layer_handler : handler;
 -
     /*
      * Handlers only need the error bits. This way they don't
      * need to concern themselves with masking off the layer
      * bits or anything else.
      */
 -    UINT16 err_bits = tpm2_error_get(rc);
 -    const char *e = err_bits ? handler(err_bits) : "success";
 -    if (e) {
 -        catbuf(buf, "%s", e);
 +    if (handler) {
 +        UINT16 err_bits = tpm2_error_get(rc);
 +        const char *e = err_bits ? handler(err_bits) : "success";
 +        if (e) {
 +            catbuf(buf, "%s", e);
 +        } else {
 +            catbuf(buf, "0x%X", err_bits);
 +        }
     } else {
 -        catbuf(buf, "0x%X", err_bits);
 +        /*
 +         * we don't want to drop any bits if we don't know what to do with it
 +         * so drop the layer byte since we we already have that.
 +         */
 +        const char *e = unknown_layer_handler(rc >> 8);
 +        assert(e);
 +        catbuf(buf, "%s", e);
     }
     return buf;
 diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
 index f4249b7..6d8428b 100644
 --- a/test/unit/test_tss2_rc.c
 +++ b/test/unit/test_tss2_rc.c
@@ -199,7 +199,7 @@ test_custom_handler(void **state)
      * Test an unknown layer
      */
     e = Tss2_RC_Decode(rc);
 -    assert_string_equal(e, "1:0x2A");
 +    assert_string_equal(e, "1:0x100");
 }
 static void
@@ -282,6 +282,23 @@ test_tcti(void **state)
     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
 }
 +static void
 +test_all_FFs(void **state)
 +{
 +    (void) state;
 +
 +    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
 +    assert_string_equal(e, "255:0xFFFFFF");
 +}
 +
 +static void
 +test_all_FFs_set_handler(void **state)
 +{
 +    (void) state;
 +    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
 +    Tss2_RC_SetHandler(0xFF, NULL, NULL);
 +}
 +
 /* link required symbol, but tpm2_tool.c declares it AND main, which
  * we have a main below for cmocka tests.
  */
@@ -313,6 +330,8 @@ main(int argc, char* argv[])
             cmocka_unit_test(test_esys),
             cmocka_unit_test(test_mu),
             cmocka_unit_test(test_tcti),
 +            cmocka_unit_test(test_all_FFs),
 +            cmocka_unit_test(test_all_FFs_set_handler)
     };
     return cmocka_run_group_tests(tests, NULL, NULL);
 -- 
 2.27.0
--- a/tpm2-tss.spec
+++ b/tpm2-tss.spec
@ -1,11 +1,13 @@
 Name:          tpm2-tss
 Version:       3.2.1
-Release:       1
+Release:       2
 Summary:       TPM2.0 Software Stack
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tss
 Source0:       https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch1: backport-CVE-2023-22745.patch
 BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel
 BuildRequires: curl >= 7.80.0
@ -70,6 +72,12 @@ make check
 %{_mandir}/man*/*
 %changelog
 * Tue Jan 31 2023 huangzq6 <huangzhenqiang2@huawei.com> - 3.2.1-2
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DESC:fix CVE-2023-22745
 * Fri Dec 23 2022 jinlun <jinlun@huawei.com> - 3.2.1-1
 - Type:enhancement
 - ID:NA