|
|
76a1ca |
From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
|
|
|
76a1ca |
From: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
76a1ca |
Date: Mon, 20 Feb 2023 14:41:10 -0500
|
|
|
76a1ca |
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
|
|
|
76a1ca |
& -1018)
|
|
|
76a1ca |
|
|
|
76a1ca |
Check that there are sufficient bytes in the buffer before reading the
|
|
|
76a1ca |
cipherSize from it. Also, reduce the bufferSize variable by the number
|
|
|
76a1ca |
of bytes that make up the cipherSize to avoid reading and writing bytes
|
|
|
76a1ca |
beyond the buffer in subsequent steps that do in-place decryption.
|
|
|
76a1ca |
|
|
|
76a1ca |
This fixes CVE-2023-1017 & CVE-2023-1018.
|
|
|
76a1ca |
|
|
|
76a1ca |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
76a1ca |
---
|
|
|
76a1ca |
src/tpm2/CryptUtil.c | 6 ++++++
|
|
|
76a1ca |
1 file changed, 6 insertions(+)
|
|
|
76a1ca |
|
|
|
76a1ca |
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
|
|
|
76a1ca |
index 002fde0..8fae5b6 100644
|
|
|
76a1ca |
--- a/src/tpm2/CryptUtil.c
|
|
|
76a1ca |
+++ b/src/tpm2/CryptUtil.c
|
|
|
76a1ca |
@@ -830,6 +830,10 @@ CryptParameterDecryption(
|
|
|
76a1ca |
+ sizeof(session->sessionKey.t.buffer)));
|
|
|
76a1ca |
TPM2B_HMAC_KEY key; // decryption key
|
|
|
76a1ca |
UINT32 cipherSize = 0; // size of cipher text
|
|
|
76a1ca |
+
|
|
|
76a1ca |
+ if (leadingSizeInByte > bufferSize)
|
|
|
76a1ca |
+ return TPM_RC_INSUFFICIENT;
|
|
|
76a1ca |
+
|
|
|
76a1ca |
// Retrieve encrypted data size.
|
|
|
76a1ca |
if(leadingSizeInByte == 2)
|
|
|
76a1ca |
{
|
|
|
76a1ca |
@@ -837,6 +841,7 @@ CryptParameterDecryption(
|
|
|
76a1ca |
// data to be decrypted
|
|
|
76a1ca |
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
|
|
|
76a1ca |
buffer = &buffer[2]; // advance the buffer
|
|
|
76a1ca |
+ bufferSize -= 2;
|
|
|
76a1ca |
}
|
|
|
76a1ca |
#ifdef TPM4B
|
|
|
76a1ca |
else if(leadingSizeInByte == 4)
|
|
|
76a1ca |
@@ -844,6 +849,7 @@ CryptParameterDecryption(
|
|
|
76a1ca |
// the leading size is four bytes so get the four byte size field
|
|
|
76a1ca |
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
|
|
|
76a1ca |
buffer = &buffer[4]; //advance pointer
|
|
|
76a1ca |
+ bufferSize -= 4;
|
|
|
76a1ca |
}
|
|
|
76a1ca |
#endif
|
|
|
76a1ca |
else
|
|
|
76a1ca |
--
|
|
|
76a1ca |
2.39.2
|
|
|
76a1ca |
|