- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes

CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large RC values passed to the TSS2 function could lead to memory overread or memory overread. This patch is not yet part of any upstream git tag. OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=124
2023-01-20 11:24:42 +00:00 · 2023-01-20 11:24:42 +00:00 · 4cd4a5bc82
commit 4cd4a5bc82
parent 4281ba40c5
3 changed files with 102 additions and 2 deletions
--- a/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
+++ b/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
@ -0,0 +1,90 @@
+From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Thu, 19 Jan 2023 11:53:06 -0600
+Subject: [PATCH] tss2_rc: ensure layer number is in bounds
+
+The layer handler array was defined as 255, the max number of uint8,
+which is the size of the layer field, however valid values are 0-255
+allowing for 256 possibilities and thus the array was off by one and
+needed to be sized to 256 entries. Update the size and add tests.
+
+Note: previous implementations incorrectly dropped bits on unknown error
+output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
+but earlier implementations returned 255:0xFFFF, dropping the middle
+bits, this patch fixes that.
+
+Fixes: CVE-2023-22745
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/tss2-rc/tss2_rc.c    | 31 +++++++++++++++++++++----------
+ test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
+ 2 files changed, 41 insertions(+), 11 deletions(-)
+
+Index: tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c
+===================================================================
+--- tpm2-tss-3.2.0.orig/src/tss2-rc/tss2_rc.c
+++ tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c
+@@ -1,5 +1,8 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+-
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <assert.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
+ static struct {
+     char name[TSS2_ERR_LAYER_NAME_MAX];
+     TSS2_RC_HANDLER handler;
+-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
+     ADD_HANDLER("tpm" , tpm2_ehandler),
+     ADD_NULL_HANDLER,                       /* layer 1  is unused */
+     ADD_NULL_HANDLER,                       /* layer 2  is unused */
+@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
+     static __thread char buf[32];
+ 
+     clearbuf(buf);
+-    catbuf(buf, "0x%X", tpm2_error_get(rc));
+    catbuf(buf, "0x%X", rc);
+ 
+     return buf;
+ }
+@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
+         catbuf(buf, "%u:", layer);
+     }
+ 
+-    handler = !handler ? unknown_layer_handler : handler;
+-
+     /*
+      * Handlers only need the error bits. This way they don't
+      * need to concern themselves with masking off the layer
+      * bits or anything else.
+      */
+-    UINT16 err_bits = tpm2_error_get(rc);
+-    const char *e = err_bits ? handler(err_bits) : "success";
+-    if (e) {
+-        catbuf(buf, "%s", e);
+    if (handler) {
+        UINT16 err_bits = tpm2_error_get(rc);
+        const char *e = err_bits ? handler(err_bits) : "success";
+        if (e) {
+            catbuf(buf, "%s", e);
+        } else {
+            catbuf(buf, "0x%X", err_bits);
+        }
+     } else {
+-        catbuf(buf, "0x%X", err_bits);
+        /*
+         * we don't want to drop any bits if we don't know what to do with it
+         * so drop the layer byte since we we already have that.
+         */
+        const char *e = unknown_layer_handler(rc >> 8);
+        assert(e);
+        catbuf(buf, "%s", e);
+     }
+ 
+     return buf;
--- a/tpm2-0-tss.changes
+++ b/tpm2-0-tss.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Jan 20 11:10:30 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes
+  CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large
+  RC values passed to the TSS2 function could lead to memory overread or
+  memory overread.
+  This patch is not yet part of any upstream git tag.
+
 -------------------------------------------------------------------
 Mon Jul 11 11:19:36 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tpm2-0-tss
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -28,6 +28,7 @@ Source1:        https://github.com/tpm2-software/tpm2-tss/releases/download/%{ve
 # curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd6b4d8bac7e0cc97dcd4ac7272e88b53f7a95d84 > tpm2-tss.keyring
 Source2:        tpm2-tss.keyring
 Source3:        baselibs.conf
+Patch0:         0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
 BuildRequires:  /usr/sbin/groupadd
 BuildRequires:  acl
 BuildRequires:  doxygen
@ -185,7 +186,7 @@ details of direct communication with the interface and protocol exposed by the
 daemon hosting the TPM2 reference implementation.

 %prep
-%autosetup -n tpm2-tss-%{version}
+%autosetup -p1 -n tpm2-tss-%{version}

 %build
 # configure looks for groupadd on PATH