Projects
Mega:24.03:SP1:Everything
tpm2-tss
_service:tar_scm:backport-CVE-2024-29040-FAPI-F...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch of Package tpm2-tss
From 710cd0b6adf3a063f34a8e92da46df7a107d9a99 Mon Sep 17 00:00:00 2001 From: Juergen Repp <juergen_repp@web.de> Date: Tue, 31 Oct 2023 11:08:41 +0100 Subject: [PATCH] FAPI: Fix check of magic number in verify quote. After deserializing the quote info it was not checked whether the magic number in the attest is equal TPM2_GENERATED_VALUE. So an malicious attacker could generate arbitrary quote data which was not detected by Fapi_VerifyQuote. Now the number magic number is checket in verify quote and also in the deserialization of TPM2_GENERATED. The check is also added to the Unmarshal function for TPMS_ATTEST. Fixes: CVE-2024-29040 Signed-off-by: Juergen Repp <juergen_repp@web.de> Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com> --- src/tss2-fapi/api/Fapi_VerifyQuote.c | 5 +++++ src/tss2-fapi/tpm_json_deserialize.c | 11 +++++++++-- src/tss2-mu/tpms-types.c | 23 ++++++++++++++++++++++- 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/src/tss2-fapi/api/Fapi_VerifyQuote.c b/src/tss2-fapi/api/Fapi_VerifyQuote.c index 8a0e119c..50474c6b 100644 --- a/src/tss2-fapi/api/Fapi_VerifyQuote.c +++ b/src/tss2-fapi/api/Fapi_VerifyQuote.c @@ -289,6 +289,11 @@ Fapi_VerifyQuote_Finish( &command->fapi_quote_info); goto_if_error(r, "Get quote info.", error_cleanup); + if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) { + goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED, + "Attest without TPM2 generated value", error_cleanup); + } + /* Verify the signature over the attest2b structure. */ r = ifapi_verify_signature_quote(&key_object, command->signature, diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c index 4c45458a..1b27a83f 100644 --- a/src/tss2-fapi/tpm_json_deserialize.c +++ b/src/tss2-fapi/tpm_json_deserialize.c @@ -698,6 +698,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out) const char *s = json_object_get_string(jso); const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL); LOG_TRACE("called for %s parsing %s", s, str); + TSS2_RC r; if (str) { for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) { @@ -707,8 +708,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out) } } } - - return ifapi_json_UINT32_deserialize(jso, out); + r = ifapi_json_UINT32_deserialize(jso, out); + return_if_error(r, "Could not deserialize UINT32"); + if (*out != TPM2_GENERATED_VALUE) { + return_error2(TSS2_FAPI_RC_BAD_VALUE, + "Value %x not equal TPM self generated value %x", + *out, TPM2_GENERATED_VALUE); + } + return TSS2_RC_SUCCESS; } /** Deserialize a TPM2_ALG_ID json object. diff --git a/src/tss2-mu/tpms-types.c b/src/tss2-mu/tpms-types.c index 3ad72520..56aca0c3 100644 --- a/src/tss2-mu/tpms-types.c +++ b/src/tss2-mu/tpms-types.c @@ -22,6 +22,27 @@ #define VAL #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0])) +static TSS2_RC +TPM2_GENERATED_Unmarshal( + uint8_t const buffer[], + size_t buffer_size, + size_t *offset, + TPM2_GENERATED *magic) +{ + TPM2_GENERATED mymagic = 0; + TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic); + if (rc != TSS2_RC_SUCCESS) { + return rc; + } + if (mymagic != TPM2_GENERATED_VALUE) { + LOG_ERROR("Bad magic in tpms_attest"); + return TSS2_SYS_RC_BAD_VALUE; + } + if (magic != NULL) + *magic = mymagic; + return TSS2_RC_SUCCESS; +} + #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \ TSS2_RC \ Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \ @@ -1219,7 +1240,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST, attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal) TPMS_UNMARSHAL_7_U(TPMS_ATTEST, - magic, Tss2_MU_UINT32_Unmarshal, + magic, TPM2_GENERATED_Unmarshal, type, Tss2_MU_TPM2_ST_Unmarshal, qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal, extraData, Tss2_MU_TPM2B_DATA_Unmarshal, -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2