From bea4a59ff9a5d9e6ec34455141e1b8b8c5d5337e Mon Sep 17 00:00:00 2001 From: cenhuilin Date: Fri, 10 May 2024 15:32:58 +0800 Subject: [PATCH] fix CVE-2024-29038 CVE-2024-29039 --- backport-CVE-2024-29038.patch | 37 +++++++++++++++ backport-CVE-2024-29039.patch | 85 +++++++++++++++++++++++++++++++++++ tpm2-tools.spec | 7 ++- 3 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-29038.patch create mode 100644 backport-CVE-2024-29039.patch diff --git a/backport-CVE-2024-29038.patch b/backport-CVE-2024-29038.patch new file mode 100644 index 0000000..fee439a --- /dev/null +++ b/backport-CVE-2024-29038.patch @@ -0,0 +1,37 @@ +From 66d922d6547b7b4fe4f274fb2ec10b376e0e259 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 10 May 2024 15:17:03 +0800 +Subject: [PATCH] tpm2_checkquote: Fix check of magic number. +It was not checked whether the magic number in the +attest is equal to TPM2_GENERATED_VALUE. +So an malicious attacker could generate arbitrary quote data +which was not detected by tpm2 checkquote. + +Fixes: CVE-2024-29038 + +Signed-off-by: Juergen Repp +--- + tools/misc/tpm2_checkquote.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c +index ca78238..6d1a9f6 100644 +--- a/tools/misc/tpm2_checkquote.c ++++ b/tools/misc/tpm2_checkquote.c +@@ -115,6 +115,13 @@ static bool verify(void) { + goto err; + } + ++ // check magic ++ if (ctx.attest.magic != TPM2_GENERATED_VALUE) { ++ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x", ++ ctx.attest.magic, TPM2_GENERATED_VALUE); ++ return false; ++ } ++ + // Also ensure digest from quote matches PCR digest + if (ctx.flags.pcr) { + if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest, +-- +2.33.0 + diff --git a/backport-CVE-2024-29039.patch b/backport-CVE-2024-29039.patch new file mode 100644 index 0000000..b9b07a9 --- /dev/null +++ b/backport-CVE-2024-29039.patch @@ -0,0 +1,85 @@ +From 98599df9392a346216c5a059b8d35271286100bb Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 10 May 2024 15:23:21 +0800 +Subject: [PATCH] tpm2_checkquote: Add comparison of pcr selection. +The pcr selection which is passed with the --pcr parameter it not +compared with the attest. So it's possible to fake a valid +attestation. + +Fixes: CVE-2024-29039 + +Signed-off-by: Juergen Repp +Signed-off-by: Andreas Fuchs +--- + tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c +index 6d1a9f6..c4fdff6 100644 +--- a/tools/misc/tpm2_checkquote.c ++++ b/tools/misc/tpm2_checkquote.c +@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = { + .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer), + }; + ++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) { ++ if (attest_sel->count != pcr_sel->count) { ++ LOG_ERR("Selection sizes do not match."); ++ return false; ++ } ++ for (uint32_t i = 0; i < attest_sel->count; i++) { ++ for (uint32_t j = 0; j < pcr_sel->count; j++) { ++ if (attest_sel->pcrSelections[i].hash == ++ pcr_sel->pcrSelections[j].hash) { ++ if (attest_sel->pcrSelections[i].sizeofSelect != ++ pcr_sel->pcrSelections[j].sizeofSelect) { ++ LOG_ERR("Bitmask size does not match"); ++ return false; ++ } ++ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0], ++ &pcr_sel->pcrSelections[j].pcrSelect[0], ++ attest_sel->pcrSelections[i].sizeofSelect) != 0) { ++ LOG_ERR("Selection bitmasks do not match"); ++ return false; ++ } ++ break; ++ } ++ if (j == pcr_sel->count - 1) { ++ LOG_ERR("Hash selections to not match."); ++ return false; ++ } ++ } ++ } ++ return true; ++} ++ + static bool verify(void) { + + bool result = false; +@@ -381,7 +412,7 @@ static tool_rc init(void) { + } + + TPM2B_ATTEST *msg = NULL; +- TPML_PCR_SELECTION pcr_select; ++ TPML_PCR_SELECTION pcr_select = { 0 }; + tpm2_pcrs *pcrs; + tpm2_pcrs temp_pcrs; + tool_rc return_value = tool_rc_general_error; +@@ -544,6 +575,14 @@ static tool_rc init(void) { + goto err; + } + ++ if (ctx.flags.pcr) { ++ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect, ++ &pcr_select)) { ++ LOG_ERR("PCR selection does not match PCR slection from attest!"); ++ goto err; ++ } ++ } ++ + // Figure out the digest for this message + res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData, + msg->size, &ctx.msg_hash); +-- +2.33.0 + diff --git a/tpm2-tools.spec b/tpm2-tools.spec index f024a8f..d693fc4 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -1,6 +1,6 @@ Name: tpm2-tools Version: 5.0 -Release: 4 +Release: 5 Summary: A TPM2.0 testing tool based on TPM2.0-TSS License: BSD URL: https://github.com/tpm2-software/tpm2-tools @@ -8,6 +8,8 @@ Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{v Patch0: backport-Don-t-assume-end-of-argv-is-NULL.patch Patch1: backport-CVE-2021-3565.patch +Patch2: backport-CVE-2024-29038.patch +Patch3: backport-CVE-2024-29039.patch BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl) BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt @@ -59,6 +61,9 @@ make check %{_mandir}/*/* %changelog +* Fri May 10 2024 cenhuilin - 5.0-5 +- fix CVE-2024-29038 CVE-2024-29039 + * Mon Aug 29 2022 fuanan - 5.0-4 - modify the changelog -- Gitee