From 08229935aec1ab279b7042b8c8baf261cb2c3e97 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 9 Mar 2022 18:10:12 +0800
Subject: [PATCH] swtpm: Check header size indicator against expected size
 (CVE-2022-23645)

Signed-off-by: yezengruan <yezengruan@huawei.com>
---
 ...er-size-indicator-against-expected-s.patch | 51 +++++++++++++++++++
 ...e-files-atomically-using-file-renami.patch |  0
 ...h-to-open-from-fopen-for-writing-cer.patch |  0
 ...low-symlinks-when-opening-lockfile-C.patch |  0
 ...open-from-fopen-for-the-pidfile-CVE-.patch |  0
 ...ot-fopen-when-accessing-statefile-CV.patch |  0
 swtpm.spec                                    | 21 ++++----
 7 files changed, 63 insertions(+), 9 deletions(-)
 create mode 100644 0001-swtpm-Check-header-size-indicator-against-expected-s.patch
 rename 0001-swtpm-Write-state-files-atomically-using-file-renami.patch => 0002-swtpm-Write-state-files-atomically-using-file-renami.patch (100%)
 rename 0002-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch => 0003-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch (100%)
 rename 0003-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch => 0004-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch (100%)
 rename 0004-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch => 0005-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch (100%)
 rename 0005-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch => 0006-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch (100%)

diff --git a/0001-swtpm-Check-header-size-indicator-against-expected-s.patch b/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
new file mode 100644
index 0000000..7d6b4d7
--- /dev/null
+++ b/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
@@ -0,0 +1,51 @@
+From c518445f9fddc786f191f4f5926bf483fa2bd1ff Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Wed, 16 Feb 2022 11:17:47 -0500
+Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
+ 375869)
+
+This fix addresses Coverity issue CID 375869 (CVE-2022-23645).
+
+Check the header size indicated in the header of the state against the
+expected size and return an error code in case the header size indicator
+is different. There was only one header size so far since blobheader was
+introduced, so we don't need to deal with different sizes.
+
+Without this fix a specially crafted header could cause out-of-bounds
+accesses on the byte array containing the swtpm's state.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/swtpm/swtpm_nvfile.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
+index dc7cfbf1..0efb9da8 100644
+--- a/src/swtpm/swtpm_nvfile.c
++++ b/src/swtpm/swtpm_nvfile.c
+@@ -1260,6 +1260,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
+                         uint8_t *hdrversion, bool quiet)
+ {
+     blobheader *bh = (blobheader *)data;
++    uint16_t hdrsize;
+ 
+     if (length < sizeof(bh)) {
+         if (!quiet)
+@@ -1285,8 +1286,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
+         return TPM_BAD_VERSION;
+     }
+ 
++    hdrsize = ntohs(bh->hdrsize);
++    if (hdrsize != sizeof(blobheader)) {
++        logprintf(STDERR_FILENO,
++                  "bad header size: %u != %zu\n",
++                  hdrsize, sizeof(blobheader));
++        return TPM_BAD_DATASIZE;
++    }
++
+     *hdrversion = bh->version;
+-    *dataoffset = ntohs(bh->hdrsize);
++    *dataoffset = hdrsize;
+     *hdrflags = ntohs(bh->flags);
+ 
+     return TPM_SUCCESS;
diff --git a/0001-swtpm-Write-state-files-atomically-using-file-renami.patch b/0002-swtpm-Write-state-files-atomically-using-file-renami.patch
similarity index 100%
rename from 0001-swtpm-Write-state-files-atomically-using-file-renami.patch
rename to 0002-swtpm-Write-state-files-atomically-using-file-renami.patch
diff --git a/0002-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch b/0003-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
similarity index 100%
rename from 0002-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
rename to 0003-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
diff --git a/0003-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch b/0004-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
similarity index 100%
rename from 0003-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
rename to 0004-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
diff --git a/0004-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch b/0005-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
similarity index 100%
rename from 0004-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
rename to 0005-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
diff --git a/0005-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch b/0006-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
similarity index 100%
rename from 0005-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
rename to 0006-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
diff --git a/swtpm.spec b/swtpm.spec
index e350f79..3d8d28e 100644
--- a/swtpm.spec
+++ b/swtpm.spec
@@ -12,17 +12,17 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.3.3
-Release:        5
+Release:        6
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
 Patch00:        0000-rename-deprecated-libtasn1-types-to-fix-build-error.patch
-Patch01:        0001-swtpm-Write-state-files-atomically-using-file-renami.patch
-Patch02:        0002-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
-Patch03:        0003-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
-Patch04:        0004-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
-Patch05:        0005-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
-
+Patch01:        0001-swtpm-Check-header-size-indicator-against-expected-s.patch
+Patch02:        0002-swtpm-Write-state-files-atomically-using-file-renami.patch
+Patch03:        0003-swtpm_cert-Switch-to-open-from-fopen-for-writing-cer.patch
+Patch04:        0004-swtpm-Do-not-follow-symlinks-when-opening-lockfile-C.patch
+Patch05:        0005-swtpm-Switch-to-open-from-fopen-for-the-pidfile-CVE-.patch
+Patch06:        0006-swtpm-Use-open-not-fopen-when-accessing-statefile-CV.patch
 
 BuildRequires:  automake
 BuildRequires:  autoconf
@@ -171,10 +171,13 @@ fi
 %attr( 755, tss, tss) %{_localstatedir}/lib/swtpm-localca
 
 %changelog
-* Thu Jun 30 2022 yezengruan <yezengruan@huawei.com> - 0.3.3-5
+* Thu Jun 30 2022 yezengruan <yezengruan@huawei.com> - 0.3.3-6
 - Addressed potential symlink attack issue (CVE-2020-28407)
 
-* Wed Apr 06 2022 xigaoxinyan <xigaoxinyan@h-partners.com> - 0.3.3-4
+* Wed Mar 9 2022 yaoxin <yaoxin30@huawei.com> - 0.3.3-5
+- swtpm: Check header size indicator against expected size (CVE-2022-23645)
+
+* Wed Feb 16 2022 xu_ping <xuping33@huawei.com> - 0.3.3-4
 - rename deprecated libtasn1 types to fix build error
 
 * Tue Nov 16 2021 imxcc <xingchaochao@huawei.com> - 0.3.3-3
-- 
Gitee