From 4cd4a5bc82e7ff1267a3070c2fd0fb41d47b78fe87e5aa26c4a15fa8bdaf0c00 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Fri, 20 Jan 2023 11:24:42 +0000 Subject: [PATCH] - add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large RC values passed to the TSS2 function could lead to memory overread or memory overread. This patch is not yet part of any upstream git tag. OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=124 --- ..._rc-ensure-layer-number-is-in-bounds.patch | 90 +++++++++++++++++++ tpm2-0-tss.changes | 9 ++ tpm2-0-tss.spec | 5 +- 3 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch diff --git a/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch b/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch new file mode 100644 index 0000000..0ad7f9d --- /dev/null +++ b/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch @@ -0,0 +1,90 @@ +From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Thu, 19 Jan 2023 11:53:06 -0600 +Subject: [PATCH] tss2_rc: ensure layer number is in bounds + +The layer handler array was defined as 255, the max number of uint8, +which is the size of the layer field, however valid values are 0-255 +allowing for 256 possibilities and thus the array was off by one and +needed to be sized to 256 entries. Update the size and add tests. + +Note: previous implementations incorrectly dropped bits on unknown error +output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF, +but earlier implementations returned 255:0xFFFF, dropping the middle +bits, this patch fixes that. + +Fixes: CVE-2023-22745 + +Signed-off-by: William Roberts +--- + src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++---------- + test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++- + 2 files changed, 41 insertions(+), 11 deletions(-) + +Index: tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c +=================================================================== +--- tpm2-tss-3.2.0.orig/src/tss2-rc/tss2_rc.c ++++ tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c +@@ -1,5 +1,8 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ +- ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++#include + #include + #include + #include +@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc) + static struct { + char name[TSS2_ERR_LAYER_NAME_MAX]; + TSS2_RC_HANDLER handler; +-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = { ++} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = { + ADD_HANDLER("tpm" , tpm2_ehandler), + ADD_NULL_HANDLER, /* layer 1 is unused */ + ADD_NULL_HANDLER, /* layer 2 is unused */ +@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc) + static __thread char buf[32]; + + clearbuf(buf); +- catbuf(buf, "0x%X", tpm2_error_get(rc)); ++ catbuf(buf, "0x%X", rc); + + return buf; + } +@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc) + catbuf(buf, "%u:", layer); + } + +- handler = !handler ? unknown_layer_handler : handler; +- + /* + * Handlers only need the error bits. This way they don't + * need to concern themselves with masking off the layer + * bits or anything else. + */ +- UINT16 err_bits = tpm2_error_get(rc); +- const char *e = err_bits ? handler(err_bits) : "success"; +- if (e) { +- catbuf(buf, "%s", e); ++ if (handler) { ++ UINT16 err_bits = tpm2_error_get(rc); ++ const char *e = err_bits ? handler(err_bits) : "success"; ++ if (e) { ++ catbuf(buf, "%s", e); ++ } else { ++ catbuf(buf, "0x%X", err_bits); ++ } + } else { +- catbuf(buf, "0x%X", err_bits); ++ /* ++ * we don't want to drop any bits if we don't know what to do with it ++ * so drop the layer byte since we we already have that. ++ */ ++ const char *e = unknown_layer_handler(rc >> 8); ++ assert(e); ++ catbuf(buf, "%s", e); + } + + return buf; diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes index bcad9a5..715ab09 100644 --- a/tpm2-0-tss.changes +++ b/tpm2-0-tss.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Jan 20 11:10:30 UTC 2023 - Matthias Gerstner + +- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes + CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large + RC values passed to the TSS2 function could lead to memory overread or + memory overread. + This patch is not yet part of any upstream git tag. + ------------------------------------------------------------------- Mon Jul 11 11:19:36 UTC 2022 - Alberto Planas Dominguez diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec index c075011..e1cdbc3 100644 --- a/tpm2-0-tss.spec +++ b/tpm2-0-tss.spec @@ -1,7 +1,7 @@ # # spec file for package tpm2-0-tss # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,7 @@ Source1: https://github.com/tpm2-software/tpm2-tss/releases/download/%{ve # curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd6b4d8bac7e0cc97dcd4ac7272e88b53f7a95d84 > tpm2-tss.keyring Source2: tpm2-tss.keyring Source3: baselibs.conf +Patch0: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch BuildRequires: /usr/sbin/groupadd BuildRequires: acl BuildRequires: doxygen @@ -185,7 +186,7 @@ details of direct communication with the interface and protocol exposed by the daemon hosting the TPM2 reference implementation. %prep -%autosetup -n tpm2-tss-%{version} +%autosetup -p1 -n tpm2-tss-%{version} %build # configure looks for groupadd on PATH