diff --git a/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch b/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch new file mode 100644 index 0000000..9a962c3 --- /dev/null +++ b/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch @@ -0,0 +1,54 @@ +From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Wed, 16 Feb 2022 11:17:47 -0500 +Subject: [PATCH] swtpm: Check header size indicator against expected size (CID + 375869) + +This fix addresses Coverity issue CID 375869. + +Check the header size indicated in the header of the state against the +expected size and return an error code in case the header size indicator +is different. There was only one header size so far since blobheader was +introduced, so we don't need to deal with different sizes. + +Without this fix a specially craft header could have cause out-of-bounds +accesses on the byte array containing the swtpm's state. + +Signed-off-by: Stefan Berger +--- + src/swtpm/swtpm_nvstore.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c +index 437088370e11..144d8975ec54 100644 +--- a/src/swtpm/swtpm_nvstore.c ++++ b/src/swtpm/swtpm_nvstore.c +@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, + uint8_t *hdrversion, bool quiet) + { + blobheader *bh = (blobheader *)data; ++ uint16_t hdrsize; + + if (length < sizeof(bh)) { + if (!quiet) +@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, + return TPM_BAD_VERSION; + } + ++ hdrsize = ntohs(bh->hdrsize); ++ if (hdrsize != sizeof(blobheader)) { ++ logprintf(STDERR_FILENO, ++ "bad header size: %u != %zu\n", ++ hdrsize, sizeof(blobheader)); ++ return TPM_BAD_DATASIZE; ++ } ++ + *hdrversion = bh->version; +- *dataoffset = ntohs(bh->hdrsize); ++ *dataoffset = hdrsize; + *hdrflags = ntohs(bh->flags); + + return TPM_SUCCESS; +-- +2.34.1.428.gdcc0cd074f0c + diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec index ffc92b2..6f5ab56 100644 --- a/SPECS/swtpm.spec +++ b/SPECS/swtpm.spec @@ -12,10 +12,11 @@ Summary: TPM Emulator Name: swtpm Version: 0.7.0 -Release: 1.%{gitdate}git%{gitshortcommit}%{?dist} +Release: 2.%{gitdate}git%{gitshortcommit}%{?dist} License: BSD Url: http://github.com/stefanberger/swtpm Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz +Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch BuildRequires: make BuildRequires: git-core @@ -178,6 +179,10 @@ fi %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Mon Feb 21 2022 Marc-André Lureau - 0.7.0-2.20211109gitb79fd91 +- Add fix for CVE-2022-23645. + Resolves: rhbz#2056518 + * Fri Nov 12 2021 Marc-André Lureau - 0.7.0-1.20211109gitb79fd91 - Update to v0.7.0 release Resolves: rhbz#2021580 & rhbz#1990153