rpm/tpm2-0-tss
SHA256
1
0
Fork 0
forked from pool/tpm2-0-tss
Code Pull Requests Activity
1cb5b7a946
tpm2-0-tss/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch
Matthias Gerstner 4cd4a5bc82 - add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes 
CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large
  RC values passed to the TSS2 function could lead to memory overread or
  memory overread.
  This patch is not yet part of any upstream git tag.

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=124
2023-01-20 11:24:42 +00:00

91 lines
3.1 KiB
Diff
Raw Blame History

From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 19 Jan 2023 11:53:06 -0600
Subject: [PATCH] tss2_rc: ensure layer number is in bounds
The layer handler array was defined as 255, the max number of uint8,
which is the size of the layer field, however valid values are 0-255
allowing for 256 possibilities and thus the array was off by one and
needed to be sized to 256 entries. Update the size and add tests.
Note: previous implementations incorrectly dropped bits on unknown error
output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
but earlier implementations returned 255:0xFFFF, dropping the middle
bits, this patch fixes that.
Fixes: CVE-2023-22745
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++----------
test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
2 files changed, 41 insertions(+), 11 deletions(-)
Index: tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c
===================================================================
--- tpm2-tss-3.2.0.orig/src/tss2-rc/tss2_rc.c
+++ tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c
@@ -1,5 +1,8 @@
/* SPDX-License-Identifier: BSD-2-Clause */
-
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+#include <assert.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
static struct {
char name[TSS2_ERR_LAYER_NAME_MAX];
TSS2_RC_HANDLER handler;
-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
ADD_HANDLER("tpm" , tpm2_ehandler),
ADD_NULL_HANDLER, /* layer 1 is unused */
ADD_NULL_HANDLER, /* layer 2 is unused */
@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
static __thread char buf[32];
clearbuf(buf);
- catbuf(buf, "0x%X", tpm2_error_get(rc));
+ catbuf(buf, "0x%X", rc);
return buf;
}
@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
catbuf(buf, "%u:", layer);
}
- handler = !handler ? unknown_layer_handler : handler;
-
/*
* Handlers only need the error bits. This way they don't
* need to concern themselves with masking off the layer
* bits or anything else.
*/
- UINT16 err_bits = tpm2_error_get(rc);
- const char *e = err_bits ? handler(err_bits) : "success";
- if (e) {
- catbuf(buf, "%s", e);
+ if (handler) {
+ UINT16 err_bits = tpm2_error_get(rc);
+ const char *e = err_bits ? handler(err_bits) : "success";
+ if (e) {
+ catbuf(buf, "%s", e);
+ } else {
+ catbuf(buf, "0x%X", err_bits);
+ }
} else {
- catbuf(buf, "0x%X", err_bits);
+ /*
+ * we don't want to drop any bits if we don't know what to do with it
+ * so drop the layer byte since we we already have that.
+ */
+ const char *e = unknown_layer_handler(rc >> 8);
+ assert(e);
+ catbuf(buf, "%s", e);
}
return buf;
View Git Blame Copy Permalink