|
|
3a4686 |
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
|
|
|
3a4686 |
From: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
3a4686 |
Date: Wed, 16 Feb 2022 11:17:47 -0500
|
|
|
3a4686 |
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
|
|
|
3a4686 |
375869)
|
|
|
3a4686 |
|
|
|
3a4686 |
This fix addresses Coverity issue CID 375869.
|
|
|
3a4686 |
|
|
|
3a4686 |
Check the header size indicated in the header of the state against the
|
|
|
3a4686 |
expected size and return an error code in case the header size indicator
|
|
|
3a4686 |
is different. There was only one header size so far since blobheader was
|
|
|
3a4686 |
introduced, so we don't need to deal with different sizes.
|
|
|
3a4686 |
|
|
|
3a4686 |
Without this fix a specially craft header could have cause out-of-bounds
|
|
|
3a4686 |
accesses on the byte array containing the swtpm's state.
|
|
|
3a4686 |
|
|
|
3a4686 |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
3a4686 |
---
|
|
|
3a4686 |
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
|
|
|
3a4686 |
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
3a4686 |
|
|
|
3a4686 |
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
|
|
|
3a4686 |
index 437088370e11..144d8975ec54 100644
|
|
|
3a4686 |
--- a/src/swtpm/swtpm_nvstore.c
|
|
|
3a4686 |
+++ b/src/swtpm/swtpm_nvstore.c
|
|
|
3a4686 |
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
|
|
|
3a4686 |
uint8_t *hdrversion, bool quiet)
|
|
|
3a4686 |
{
|
|
|
3a4686 |
blobheader *bh = (blobheader *)data;
|
|
|
3a4686 |
+ uint16_t hdrsize;
|
|
|
3a4686 |
|
|
|
3a4686 |
if (length < sizeof(bh)) {
|
|
|
3a4686 |
if (!quiet)
|
|
|
3a4686 |
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
|
|
|
3a4686 |
return TPM_BAD_VERSION;
|
|
|
3a4686 |
}
|
|
|
3a4686 |
|
|
|
3a4686 |
+ hdrsize = ntohs(bh->hdrsize);
|
|
|
3a4686 |
+ if (hdrsize != sizeof(blobheader)) {
|
|
|
3a4686 |
+ logprintf(STDERR_FILENO,
|
|
|
3a4686 |
+ "bad header size: %u != %zu\n",
|
|
|
3a4686 |
+ hdrsize, sizeof(blobheader));
|
|
|
3a4686 |
+ return TPM_BAD_DATASIZE;
|
|
|
3a4686 |
+ }
|
|
|
3a4686 |
+
|
|
|
3a4686 |
*hdrversion = bh->version;
|
|
|
3a4686 |
- *dataoffset = ntohs(bh->hdrsize);
|
|
|
3a4686 |
+ *dataoffset = hdrsize;
|
|
|
3a4686 |
*hdrflags = ntohs(bh->flags);
|
|
|
3a4686 |
|
|
|
3a4686 |
return TPM_SUCCESS;
|
|
|
3a4686 |
--
|
|
|
3a4686 |
2.34.1.428.gdcc0cd074f0c
|
|
|
3a4686 |
|