diff --git a/backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch b/backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f35fc35bd3d5cc3534bce1a0e0e950de04e0ceb --- /dev/null +++ b/backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch @@ -0,0 +1,112 @@ +From 710cd0b6adf3a063f34a8e92da46df7a107d9a99 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 31 Oct 2023 11:08:41 +0100 +Subject: [PATCH] FAPI: Fix check of magic number in verify quote. + +After deserializing the quote info it was not checked whether +the magic number in the attest is equal TPM2_GENERATED_VALUE. +So an malicious attacker could generate arbitrary quote data +which was not detected by Fapi_VerifyQuote. +Now the number magic number is checket in verify quote and also +in the deserialization of TPM2_GENERATED. +The check is also added to the Unmarshal function for TPMS_ATTEST. + +Fixes: CVE-2024-29040 + +Signed-off-by: Juergen Repp +Signed-off-by: Andreas Fuchs +--- + src/tss2-fapi/api/Fapi_VerifyQuote.c | 5 +++++ + src/tss2-fapi/tpm_json_deserialize.c | 11 +++++++++-- + src/tss2-mu/tpms-types.c | 23 ++++++++++++++++++++++- + 3 files changed, 36 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_VerifyQuote.c b/src/tss2-fapi/api/Fapi_VerifyQuote.c +index 8a0e119c..50474c6b 100644 +--- a/src/tss2-fapi/api/Fapi_VerifyQuote.c ++++ b/src/tss2-fapi/api/Fapi_VerifyQuote.c +@@ -289,6 +289,11 @@ Fapi_VerifyQuote_Finish( + &command->fapi_quote_info); + goto_if_error(r, "Get quote info.", error_cleanup); + ++ if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) { ++ goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED, ++ "Attest without TPM2 generated value", error_cleanup); ++ } ++ + /* Verify the signature over the attest2b structure. */ + r = ifapi_verify_signature_quote(&key_object, + command->signature, +diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c +index 4c45458a..1b27a83f 100644 +--- a/src/tss2-fapi/tpm_json_deserialize.c ++++ b/src/tss2-fapi/tpm_json_deserialize.c +@@ -698,6 +698,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out) + const char *s = json_object_get_string(jso); + const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL); + LOG_TRACE("called for %s parsing %s", s, str); ++ TSS2_RC r; + + if (str) { + for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) { +@@ -707,8 +708,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out) + } + } + } +- +- return ifapi_json_UINT32_deserialize(jso, out); ++ r = ifapi_json_UINT32_deserialize(jso, out); ++ return_if_error(r, "Could not deserialize UINT32"); ++ if (*out != TPM2_GENERATED_VALUE) { ++ return_error2(TSS2_FAPI_RC_BAD_VALUE, ++ "Value %x not equal TPM self generated value %x", ++ *out, TPM2_GENERATED_VALUE); ++ } ++ return TSS2_RC_SUCCESS; + } + + /** Deserialize a TPM2_ALG_ID json object. +diff --git a/src/tss2-mu/tpms-types.c b/src/tss2-mu/tpms-types.c +index 3ad72520..56aca0c3 100644 +--- a/src/tss2-mu/tpms-types.c ++++ b/src/tss2-mu/tpms-types.c +@@ -22,6 +22,27 @@ + #define VAL + #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0])) + ++static TSS2_RC ++TPM2_GENERATED_Unmarshal( ++ uint8_t const buffer[], ++ size_t buffer_size, ++ size_t *offset, ++ TPM2_GENERATED *magic) ++{ ++ TPM2_GENERATED mymagic = 0; ++ TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic); ++ if (rc != TSS2_RC_SUCCESS) { ++ return rc; ++ } ++ if (mymagic != TPM2_GENERATED_VALUE) { ++ LOG_ERROR("Bad magic in tpms_attest"); ++ return TSS2_SYS_RC_BAD_VALUE; ++ } ++ if (magic != NULL) ++ *magic = mymagic; ++ return TSS2_RC_SUCCESS; ++} ++ + #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \ + TSS2_RC \ + Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \ +@@ -1219,7 +1240,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST, + attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal) + + TPMS_UNMARSHAL_7_U(TPMS_ATTEST, +- magic, Tss2_MU_UINT32_Unmarshal, ++ magic, TPM2_GENERATED_Unmarshal, + type, Tss2_MU_TPM2_ST_Unmarshal, + qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal, + extraData, Tss2_MU_TPM2B_DATA_Unmarshal, +-- +2.33.0 + diff --git a/backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch b/backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..def6de7942f5091a6a11d5c5eac3297a18a5f321 --- /dev/null +++ b/backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch @@ -0,0 +1,91 @@ +From 218c0da8d9f675766b1de502a52e23a3aa52648e Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Wed, 22 Mar 2023 10:54:59 +0100 +Subject: [PATCH] FAPI: Skip test fapi-fix-provisioning-with template if no + certificate is available. + +If the configure option --enable-self-generated-certificate is not used this +test can't be executed because no certificate will be stored in NV ram. The +test will be skipped if no certificate is available. +Fixes: #2558 + +Signed-off-by: Juergen Repp +--- + .../fapi-provisioning-with-template.int.c | 40 ++++++++++++++++++- + 1 file changed, 39 insertions(+), 1 deletion(-) + +diff --git a/test/integration/fapi-provisioning-with-template.int.c b/test/integration/fapi-provisioning-with-template.int.c +index 54c724f5..74184cdc 100644 +--- a/test/integration/fapi-provisioning-with-template.int.c ++++ b/test/integration/fapi-provisioning-with-template.int.c +@@ -4,6 +4,8 @@ + #endif + + #include ++#include ++#include + + #include "tss2_esys.h" + #include "tss2_fapi.h" +@@ -31,6 +33,39 @@ + * @retval EXIT_SKIP + * + */ ++static bool ++fapi_ek_certless() ++{ ++ FILE *stream = NULL; ++ long config_size; ++ char *config = NULL; ++ char *fapi_config_file = getenv("TSS2_FAPICONF"); ++ ++ stream = fopen(fapi_config_file, "r"); ++ if (!stream) { ++ LOG_ERROR("File %s does not exist", fapi_config_file); ++ return NULL; ++ } ++ fseek(stream, 0L, SEEK_END); ++ config_size = ftell(stream); ++ fclose(stream); ++ config = malloc(config_size + 1); ++ stream = fopen(fapi_config_file, "r"); ++ ssize_t ret = read(fileno(stream), config, config_size); ++ if (ret != config_size) { ++ LOG_ERROR("IO error %s.", fapi_config_file); ++ return NULL; ++ } ++ config[config_size] = '\0'; ++ if (strstr(config, "\"ek_cert_less\": \"yes\"") == NULL) { ++ SAFE_FREE(config); ++ return false; ++ } else { ++ SAFE_FREE(config); ++ return true; ++ } ++} ++ + int + test_fapi_provision_template(FAPI_CONTEXT *context) + { +@@ -151,6 +186,9 @@ test_fapi_provision_template(FAPI_CONTEXT *context) + TPM2B_AUTH auth = { .size = 0, .buffer = {} }; + TPM2B_MAX_NV_BUFFER nv_data; + ++ if (fapi_ek_certless()) ++ return EXIT_SKIP; ++ + if (strcmp(FAPI_PROFILE, "P_ECC") == 0) { + nv_template_idx = ecc_nv_template_idx; + nv_nonce_idx = ecc_nv_nonce_idx; +@@ -169,7 +207,7 @@ test_fapi_provision_template(FAPI_CONTEXT *context) + r = Esys_Initialize(&esys_ctx, tcti, NULL); + goto_if_error(r, "Error Esys_Initialize", error); + +- /* ++ /* + * Store template (marshaled TPMT_PUBLIC) in NV ram. + */ + r = Tss2_MU_TPMT_PUBLIC_Marshal(&in_public, &nv_data.buffer[0], +-- +2.33.0 + diff --git a/tpm2-tss.spec b/tpm2-tss.spec index 8c85dd7c0d3800be6c607966deb55b76c397fe8f..b57c08bb90952f03d7020a105b35162c8429f626 100644 --- a/tpm2-tss.spec +++ b/tpm2-tss.spec @@ -1,11 +1,14 @@ Name: tpm2-tss Version: 4.0.1 -Release: 1 +Release: 2 Summary: TPM2.0 Software Stack License: BSD URL: https://github.com/tpm2-software/tpm2-tss Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0001: backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch +Patch0002: backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch + BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel util-linux-devel BuildRequires: curl >= 7.80.0 libcmocka-devel iproute uthash-devel swtpm @@ -71,6 +74,9 @@ make check %{_mandir}/man*/* %changelog +* Wed May 8 2024 jinlun - 4.0.1-2 +- fix CVE-2024-29040 and fix test check error + * Tue Jan 23 2024 jinlun - 4.0.1-1 - Type:enhancement - ID:NA