From f3a4d3ac67b549815349abd417715b0dfaaa3a5c Mon Sep 17 00:00:00 2001 From: jiangfangjie Date: Wed, 17 May 2023 15:54:25 +0800 Subject: [PATCH] Fix CVE-2023--1018 and CVE-2023-1017 (cherry picked from commit 899999ff567fa4c5c2b4edc8c95eebd8d070df8b) --- libtpms.spec | 6 ++- ...of-buffer-before-accessing-it-CVE-20.patch | 50 +++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch diff --git a/libtpms.spec b/libtpms.spec index 31b29d0..1a4979b 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -6,7 +6,7 @@ %define name libtpms %define versionx 0.7.3 -%define release 7 +%define release 8 # Valid crypto subsystems are 'freebl' and 'openssl' %if "%{?crypto_subsystem}" == "" @@ -40,6 +40,7 @@ Patch10: tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch Patch11: tpm2-Reset-TPM2B-buffer-sizes-after-test-fails-for-v.patch Patch12: tpm2-Add-maxSize-parameter-to-TPM2B_Marshal-for-sani.patch Patch13: tpm2-Restore-original-value-if-unmarsalled-value-was.patch +Patch14: tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch %if "%{crypto_subsystem}" == "openssl" BuildRequires: openssl-devel @@ -132,6 +133,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la %postun -p /sbin/ldconfig %changelog +* Wed May 17 2023 jiangfangjie - 0.7.3-8 +- fix CVE-2023--1018 and CVE-2023-1017 + * Wed May 18 2022 yezengruan - 0.7.3-7 - tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size - tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks diff --git a/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch b/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch new file mode 100644 index 0000000..010c711 --- /dev/null +++ b/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch @@ -0,0 +1,50 @@ +From 9beadbbf256c5d08511b9fc286ab47626039d6db Mon Sep 17 00:00:00 2001 +From: jiangfangjie 00559066 +Date: Tue, 7 Mar 2023 13:18:44 +0800 +Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017 + & -1018) Check that there are sufficient bytes in the buffer before reading + the cipherSize from it. Also, reduce the bufferSize variable by the number of + bytes that make up the cipherSize to avoid reading and writing bytes beyond + the buffer in subsequent steps that do in-place decryption. + +This fixes CVE-2023-1017 & CVE-2023-1018. + +Signed-off-by: jiangfangjie +--- + src/tpm2/CryptUtil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 002fde0..9b7d56e 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -830,6 +830,10 @@ CryptParameterDecryption( + + sizeof(session->sessionKey.t.buffer))); + TPM2B_HMAC_KEY key; // decryption key + UINT32 cipherSize = 0; // size of cipher text ++ ++ if (leadingSizeInByte > bufferSize) ++ return TPM_RC_INSUFFICIENT; ++ + // Retrieve encrypted data size. + if(leadingSizeInByte == 2) + { +@@ -837,6 +841,7 @@ CryptParameterDecryption( + // data to be decrypted + cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); + buffer = &buffer[2]; // advance the buffer ++ bufferSize -= 2; + } + #ifdef TPM4B + else if(leadingSizeInByte == 4) +@@ -844,6 +849,7 @@ CryptParameterDecryption( + // the leading size is four bytes so get the four byte size field + cipherSize = BYTE_ARRAY_TO_UINT32(buffer); + buffer = &buffer[4]; //advance pointer ++ bufferSize -= 4; + } + #endif + else +-- +2.21.0.windows.1 + -- Gitee