- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes
CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large RC values passed to the TSS2 function could lead to memory overread or memory overread. This patch is not yet part of any upstream git tag. OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=124
This commit is contained in:
parent
4281ba40c5
commit
4cd4a5bc82
90
0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Normal file
90
0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Thu, 19 Jan 2023 11:53:06 -0600
|
||||||
|
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
|
||||||
|
|
||||||
|
The layer handler array was defined as 255, the max number of uint8,
|
||||||
|
which is the size of the layer field, however valid values are 0-255
|
||||||
|
allowing for 256 possibilities and thus the array was off by one and
|
||||||
|
needed to be sized to 256 entries. Update the size and add tests.
|
||||||
|
|
||||||
|
Note: previous implementations incorrectly dropped bits on unknown error
|
||||||
|
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
|
||||||
|
but earlier implementations returned 255:0xFFFF, dropping the middle
|
||||||
|
bits, this patch fixes that.
|
||||||
|
|
||||||
|
Fixes: CVE-2023-22745
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
|
||||||
|
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
|
||||||
|
2 files changed, 41 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
Index: tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c
|
||||||
|
===================================================================
|
||||||
|
--- tpm2-tss-3.2.0.orig/src/tss2-rc/tss2_rc.c
|
||||||
|
+++ tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c
|
||||||
|
@@ -1,5 +1,8 @@
|
||||||
|
/* SPDX-License-Identifier: BSD-2-Clause */
|
||||||
|
-
|
||||||
|
+#ifdef HAVE_CONFIG_H
|
||||||
|
+#include "config.h"
|
||||||
|
+#endif
|
||||||
|
+#include <assert.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdbool.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
|
||||||
|
static struct {
|
||||||
|
char name[TSS2_ERR_LAYER_NAME_MAX];
|
||||||
|
TSS2_RC_HANDLER handler;
|
||||||
|
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
|
||||||
|
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
|
||||||
|
ADD_HANDLER("tpm" , tpm2_ehandler),
|
||||||
|
ADD_NULL_HANDLER, /* layer 1 is unused */
|
||||||
|
ADD_NULL_HANDLER, /* layer 2 is unused */
|
||||||
|
@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
|
||||||
|
static __thread char buf[32];
|
||||||
|
|
||||||
|
clearbuf(buf);
|
||||||
|
- catbuf(buf, "0x%X", tpm2_error_get(rc));
|
||||||
|
+ catbuf(buf, "0x%X", rc);
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
|
||||||
|
catbuf(buf, "%u:", layer);
|
||||||
|
}
|
||||||
|
|
||||||
|
- handler = !handler ? unknown_layer_handler : handler;
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Handlers only need the error bits. This way they don't
|
||||||
|
* need to concern themselves with masking off the layer
|
||||||
|
* bits or anything else.
|
||||||
|
*/
|
||||||
|
- UINT16 err_bits = tpm2_error_get(rc);
|
||||||
|
- const char *e = err_bits ? handler(err_bits) : "success";
|
||||||
|
- if (e) {
|
||||||
|
- catbuf(buf, "%s", e);
|
||||||
|
+ if (handler) {
|
||||||
|
+ UINT16 err_bits = tpm2_error_get(rc);
|
||||||
|
+ const char *e = err_bits ? handler(err_bits) : "success";
|
||||||
|
+ if (e) {
|
||||||
|
+ catbuf(buf, "%s", e);
|
||||||
|
+ } else {
|
||||||
|
+ catbuf(buf, "0x%X", err_bits);
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
- catbuf(buf, "0x%X", err_bits);
|
||||||
|
+ /*
|
||||||
|
+ * we don't want to drop any bits if we don't know what to do with it
|
||||||
|
+ * so drop the layer byte since we we already have that.
|
||||||
|
+ */
|
||||||
|
+ const char *e = unknown_layer_handler(rc >> 8);
|
||||||
|
+ assert(e);
|
||||||
|
+ catbuf(buf, "%s", e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf;
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 20 11:10:30 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes
|
||||||
|
CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large
|
||||||
|
RC values passed to the TSS2 function could lead to memory overread or
|
||||||
|
memory overread.
|
||||||
|
This patch is not yet part of any upstream git tag.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jul 11 11:19:36 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
Mon Jul 11 11:19:36 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package tpm2-0-tss
|
# spec file for package tpm2-0-tss
|
||||||
#
|
#
|
||||||
# Copyright (c) 2022 SUSE LLC
|
# Copyright (c) 2023 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -28,6 +28,7 @@ Source1: https://github.com/tpm2-software/tpm2-tss/releases/download/%{ve
|
|||||||
# curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd6b4d8bac7e0cc97dcd4ac7272e88b53f7a95d84 > tpm2-tss.keyring
|
# curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd6b4d8bac7e0cc97dcd4ac7272e88b53f7a95d84 > tpm2-tss.keyring
|
||||||
Source2: tpm2-tss.keyring
|
Source2: tpm2-tss.keyring
|
||||||
Source3: baselibs.conf
|
Source3: baselibs.conf
|
||||||
|
Patch0: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
|
||||||
BuildRequires: /usr/sbin/groupadd
|
BuildRequires: /usr/sbin/groupadd
|
||||||
BuildRequires: acl
|
BuildRequires: acl
|
||||||
BuildRequires: doxygen
|
BuildRequires: doxygen
|
||||||
@ -185,7 +186,7 @@ details of direct communication with the interface and protocol exposed by the
|
|||||||
daemon hosting the TPM2 reference implementation.
|
daemon hosting the TPM2 reference implementation.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -n tpm2-tss-%{version}
|
%autosetup -p1 -n tpm2-tss-%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# configure looks for groupadd on PATH
|
# configure looks for groupadd on PATH
|
||||||
|
Loading…
Reference in New Issue
Block a user