diff options
Diffstat (limited to 'debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch')
-rw-r--r-- | debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch b/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch new file mode 100644 index 0000000..89fef6a --- /dev/null +++ b/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch @@ -0,0 +1,55 @@ +From: Stefan Berger <stefanb@linux.ibm.com> +Date: Mon, 20 Feb 2023 14:41:10 -0500 +Subject: tpm2: Check size of buffer before accessing it (CVE-2023-1017 & + -1018) +Origin: https://github.com/stefanberger/libtpms/commit/324dbb4c27ae789c73b69dbf4611242267919dd4 +Bug-Debian: https://bugs.debian.org/1032420 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1018 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1017 + +Check that there are sufficient bytes in the buffer before reading the +cipherSize from it. Also, reduce the bufferSize variable by the number +of bytes that make up the cipherSize to avoid reading and writing bytes +beyond the buffer in subsequent steps that do in-place decryption. + +This fixes CVE-2023-1017 & CVE-2023-1018. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +--- + src/tpm2/CryptUtil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 002fde0987a9..8fae5b6903ca 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -830,6 +830,10 @@ CryptParameterDecryption( + + sizeof(session->sessionKey.t.buffer))); + TPM2B_HMAC_KEY key; // decryption key + UINT32 cipherSize = 0; // size of cipher text ++ ++ if (leadingSizeInByte > bufferSize) ++ return TPM_RC_INSUFFICIENT; ++ + // Retrieve encrypted data size. + if(leadingSizeInByte == 2) + { +@@ -837,6 +841,7 @@ CryptParameterDecryption( + // data to be decrypted + cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); + buffer = &buffer[2]; // advance the buffer ++ bufferSize -= 2; + } + #ifdef TPM4B + else if(leadingSizeInByte == 4) +@@ -844,6 +849,7 @@ CryptParameterDecryption( + // the leading size is four bytes so get the four byte size field + cipherSize = BYTE_ARRAY_TO_UINT32(buffer); + buffer = &buffer[4]; //advance pointer ++ bufferSize -= 4; + } + #endif + else +-- +2.39.2 + |