|
 |
20abf0 |
From 3ef9b26cb9f28bd64d738bff9505a20d4eb56acd Mon Sep 17 00:00:00 2001
|
|
|
20abf0 |
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
|
|
20abf0 |
Date: Mon, 21 Jun 2021 15:10:14 -0400
|
|
|
20abf0 |
Subject: [PATCH 2/3] tpm2: Add maxSize parameter to TPM2B_Marshal for sanity
|
|
|
20abf0 |
checks
|
|
|
20abf0 |
|
|
|
20abf0 |
Add maxSize parameter to TPM2B_Marshal and assert on it checking
|
|
|
20abf0 |
the size of the data intended to be marshaled versus the maximum
|
|
|
20abf0 |
buffer size.
|
|
|
20abf0 |
|
|
|
20abf0 |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
20abf0 |
---
|
|
|
20abf0 |
src/tpm2/Marshal.c | 38 ++++++++++++++++++++------------------
|
|
|
20abf0 |
src/tpm2/Marshal_fp.h | 2 +-
|
|
|
20abf0 |
src/tpm2/NVMarshal.c | 18 +++++++++---------
|
|
|
20abf0 |
3 files changed, 30 insertions(+), 28 deletions(-)
|
|
|
20abf0 |
|
|
|
20abf0 |
diff --git a/src/tpm2/Marshal.c b/src/tpm2/Marshal.c
|
|
|
20abf0 |
index 53c241e..c843224 100644
|
|
|
20abf0 |
--- a/src/tpm2/Marshal.c
|
|
|
20abf0 |
+++ b/src/tpm2/Marshal.c
|
|
|
20abf0 |
@@ -59,6 +59,7 @@
|
|
|
20abf0 |
/* */
|
|
|
20abf0 |
/********************************************************************************/
|
|
|
20abf0 |
|
|
|
20abf0 |
+#include <assert.h> // libtpms added
|
|
|
20abf0 |
#include <string.h>
|
|
|
20abf0 |
|
|
|
20abf0 |
#include "Tpm.h"
|
|
|
20abf0 |
@@ -176,9 +177,10 @@ Array_Marshal(BYTE *sourceBuffer, UINT16 sourceSize, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
UINT16
|
|
|
20abf0 |
-TPM2B_Marshal(TPM2B *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
+TPM2B_Marshal(TPM2B *source, UINT32 maxSize, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
+ assert(source->size <= maxSize); // libtpms added
|
|
|
20abf0 |
written += UINT16_Marshal(&(source->size), buffer, size);
|
|
|
20abf0 |
written += Array_Marshal(source->buffer, source->size, buffer, size);
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
@@ -503,7 +505,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_DIGEST_Marshal(TPM2B_DIGEST *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
-written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -513,7 +515,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_DATA_Marshal(TPM2B_DATA *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
-written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -543,7 +545,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_MAX_BUFFER_Marshal(TPM2B_MAX_BUFFER *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -553,7 +555,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_MAX_NV_BUFFER_Marshal(TPM2B_MAX_NV_BUFFER *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -562,7 +564,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_TIMEOUT_Marshal(TPM2B_TIMEOUT *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -572,7 +574,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_IV_Marshal(TPM2B_IV *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -582,7 +584,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_NAME_Marshal(TPM2B_NAME *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.name), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1163,7 +1165,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_ATTEST_Marshal(TPM2B_ATTEST *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.attestationData), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1294,7 +1296,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_SYM_KEY_Marshal(TPM2B_SYM_KEY *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1315,7 +1317,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_SENSITIVE_DATA_Marshal(TPM2B_SENSITIVE_DATA *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1673,7 +1675,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_PUBLIC_KEY_RSA_Marshal(TPM2B_PUBLIC_KEY_RSA *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1693,7 +1695,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_PRIVATE_KEY_RSA_Marshal(TPM2B_PRIVATE_KEY_RSA *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1703,7 +1705,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_ECC_PARAMETER_Marshal(TPM2B_ECC_PARAMETER *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1937,7 +1939,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_ENCRYPTED_SECRET_Marshal(TPM2B_ENCRYPTED_SECRET *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.secret), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -2148,7 +2150,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_PRIVATE_Marshal(TPM2B_PRIVATE *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -2158,7 +2160,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_ID_OBJECT_Marshal(TPM2B_ID_OBJECT *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.credential), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -2215,7 +2217,7 @@ UINT16
|
|
|
20abf0 |
TPM2B_CONTEXT_DATA_Marshal(TPM2B_CONTEXT_DATA *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size); // libtpms changed
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
diff --git a/src/tpm2/Marshal_fp.h b/src/tpm2/Marshal_fp.h
|
|
|
20abf0 |
index 3ce6eb3..d52f497 100644
|
|
|
20abf0 |
--- a/src/tpm2/Marshal_fp.h
|
|
|
20abf0 |
+++ b/src/tpm2/Marshal_fp.h
|
|
|
20abf0 |
@@ -79,7 +79,7 @@ extern "C" {
|
|
|
20abf0 |
UINT16
|
|
|
20abf0 |
Array_Marshal(BYTE *sourceBuffer, UINT16 sourceSize, BYTE **buffer, INT32 *size);
|
|
|
20abf0 |
UINT16
|
|
|
20abf0 |
- TPM2B_Marshal(TPM2B *source, BYTE **buffer, INT32 *size);
|
|
|
20abf0 |
+ TPM2B_Marshal(TPM2B *source, UINT32 maxSize, BYTE **buffer, INT32 *size); // libtpms changed
|
|
|
20abf0 |
UINT16
|
|
|
20abf0 |
TPM_KEY_BITS_Marshal(TPM_KEY_BITS *source, BYTE **buffer, INT32 *size);
|
|
|
20abf0 |
UINT16
|
|
|
20abf0 |
diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
|
|
|
20abf0 |
index 9f6d0f7..f8a3798 100644
|
|
|
20abf0 |
--- a/src/tpm2/NVMarshal.c
|
|
|
20abf0 |
+++ b/src/tpm2/NVMarshal.c
|
|
|
20abf0 |
@@ -278,7 +278,7 @@ static UINT16
|
|
|
20abf0 |
TPM2B_PROOF_Marshal(TPM2B_PROOF *source, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written = 0;
|
|
|
20abf0 |
- written += TPM2B_Marshal(&source->b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&source->b, sizeof(source->t.buffer), buffer, size);
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -1390,7 +1390,7 @@ STATE_RESET_DATA_Marshal(STATE_RESET_DATA *data, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
STATE_RESET_DATA_VERSION,
|
|
|
20abf0 |
STATE_RESET_DATA_MAGIC, 3);
|
|
|
20abf0 |
written += TPM2B_PROOF_Marshal(&data->nullProof, buffer, size);
|
|
|
20abf0 |
- written += TPM2B_Marshal(&data->nullSeed.b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&data->nullSeed.b, sizeof(data->nullSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
written += UINT32_Marshal(&data->clearCount, buffer, size);
|
|
|
20abf0 |
written += UINT64_Marshal(&data->objectContextID, buffer, size);
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -2178,7 +2178,7 @@ TPM2B_HASH_BLOCK_Marshal(TPM2B_HASH_BLOCK *data, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
{
|
|
|
20abf0 |
UINT16 written;
|
|
|
20abf0 |
|
|
|
20abf0 |
- written = TPM2B_Marshal(&data->b, buffer, size);
|
|
|
20abf0 |
+ written = TPM2B_Marshal(&data->b, sizeof(data->t.buffer), buffer, size);
|
|
|
20abf0 |
|
|
|
20abf0 |
return written;
|
|
|
20abf0 |
}
|
|
|
20abf0 |
@@ -3062,9 +3062,9 @@ VolatileState_Marshal(BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
|
|
|
20abf0 |
/* tie the volatile state to the EP,SP, and PPSeed */
|
|
|
20abf0 |
NvRead(&pd, NV_PERSISTENT_DATA, sizeof(pd));
|
|
|
20abf0 |
- written += TPM2B_Marshal(&pd.EPSeed.b, buffer, size);
|
|
|
20abf0 |
- written += TPM2B_Marshal(&pd.SPSeed.b, buffer, size);
|
|
|
20abf0 |
- written += TPM2B_Marshal(&pd.PPSeed.b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&pd.EPSeed.b, sizeof(pd.EPSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&pd.SPSeed.b, sizeof(pd.SPSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&pd.PPSeed.b, sizeof(pd.PPSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
|
|
|
20abf0 |
written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size); /* v4 */
|
|
|
20abf0 |
|
|
|
20abf0 |
@@ -3881,9 +3881,9 @@ PERSISTENT_DATA_Marshal(PERSISTENT_DATA *data, BYTE **buffer, INT32 *size)
|
|
|
20abf0 |
written += TPM2B_AUTH_Marshal(&data->ownerAuth, buffer, size);
|
|
|
20abf0 |
written += TPM2B_AUTH_Marshal(&data->endorsementAuth, buffer, size);
|
|
|
20abf0 |
written += TPM2B_AUTH_Marshal(&data->lockoutAuth, buffer, size);
|
|
|
20abf0 |
- written += TPM2B_Marshal(&data->EPSeed.b, buffer, size);
|
|
|
20abf0 |
- written += TPM2B_Marshal(&data->SPSeed.b, buffer, size);
|
|
|
20abf0 |
- written += TPM2B_Marshal(&data->PPSeed.b, buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&data->EPSeed.b, sizeof(data->EPSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&data->SPSeed.b, sizeof(data->SPSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
+ written += TPM2B_Marshal(&data->PPSeed.b, sizeof(data->PPSeed.t.buffer), buffer, size);
|
|
|
20abf0 |
written += TPM2B_PROOF_Marshal(&data->phProof, buffer, size);
|
|
|
20abf0 |
written += TPM2B_PROOF_Marshal(&data->shProof, buffer, size);
|
|
|
20abf0 |
written += TPM2B_PROOF_Marshal(&data->ehProof, buffer, size);
|
|
|
20abf0 |
--
|
|
|
20abf0 |
2.29.0
|
|
|
20abf0 |
|