diff --git a/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch new file mode 100644 index 0000000000000000000000000000000000000000..010c7112e67f9fbc4115356b72d204edb31a06ad --- /dev/null +++ b/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch @@ -0,0 +1,50 @@ +From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001 +From: jiangfangjie 00559066 +Date: Tue, 7 Mar 2023 13:18:44 +0800 +Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017 + & -1018) Check that there are sufficient bytes in the buffer before reading + the cipherSize from it. Also, reduce the bufferSize variable by the number of + bytes that make up the cipherSize to avoid reading and writing bytes beyond + the buffer in subsequent steps that do in-place decryption. + +This fixes CVE-2023-1017 & CVE-2023-1018. + +Signed-off-by: jiangfangjie +--- + src/tpm2/CryptUtil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 002fde0..9b7d56e 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -830,6 +830,10 @@ CryptParameterDecryption( + + sizeof(session->sessionKey.t.buffer))); + TPM2B_HMAC_KEY key; // decryption key + UINT32 cipherSize = 0; // size of cipher text ++ ++ if (leadingSizeInByte > bufferSize) ++ return TPM_RC_INSUFFICIENT; ++ + // Retrieve encrypted data size. + if(leadingSizeInByte == 2) + { +@@ -837,6 +841,7 @@ CryptParameterDecryption( + // data to be decrypted + cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); + buffer = &buffer[2]; // advance the buffer ++ bufferSize -= 2; + } + #ifdef TPM4B + else if(leadingSizeInByte == 4) +@@ -844,6 +849,7 @@ CryptParameterDecryption( + // the leading size is four bytes so get the four byte size field + cipherSize = BYTE_ARRAY_TO_UINT32(buffer); + buffer = &buffer[4]; //advance pointer ++ bufferSize -= 4; + } + #endif + else +-- +2.21.0.windows.1 + diff --git a/libtpms.spec b/libtpms.spec index 7b84fcd188b252791645900c545aa0b412b42921..2d10c5807a194ca0c3e8b1619aaa1a434b4c2285 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -2,7 +2,7 @@ %define name libtpms %define version 0.9.5 -%define release 1 +%define release 2 # Valid crypto subsystems are 'freebl' and 'openssl' %if "%{?crypto_subsystem}" == "" @@ -22,6 +22,8 @@ Url: http://github.com/stefanberger/libtpms Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Provides: libtpms-%{crypto_subsystem} = %{version}-%{release} +Patch0: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch + %if "%{crypto_subsystem}" == "openssl" BuildRequires: openssl-devel %else @@ -113,6 +115,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la %postun -p /sbin/ldconfig %changelog +* Tue Mar 07 2023 jiangfangjie - 0.9.5-2 +- fix CVE-2023--1018 and CVE-2023-1017 + * Fri Feb 03 2023 yezengruan - 0.9.5-1 - update to version 0.9.5