!57 [sync] PR-52: 修复漏洞CVE-2024-29040

From: @openeuler-sync-bot Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2024-05-10 02:02:42 +00:00 · 2024-05-10 02:02:42 +00:00 · 1f08ef82ce
commit 1f08ef82ce
parent 87de602fa9 b30590ab64
3 changed files with 210 additions and 1 deletions
--- a/backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch
+++ b/backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch
@ -0,0 +1,112 @@
+From 710cd0b6adf3a063f34a8e92da46df7a107d9a99 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Tue, 31 Oct 2023 11:08:41 +0100
+Subject: [PATCH] FAPI: Fix check of magic number in verify quote.
+
+After deserializing the quote info it was not checked whether
+the magic number in the attest is equal TPM2_GENERATED_VALUE.
+So an malicious attacker could generate arbitrary quote data
+which was not detected by Fapi_VerifyQuote.
+Now the number magic number is checket in verify quote and also
+in the deserialization of TPM2_GENERATED.
+The check is also added to the Unmarshal function for TPMS_ATTEST.
+
+Fixes: CVE-2024-29040
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ src/tss2-fapi/api/Fapi_VerifyQuote.c |  5 +++++
+ src/tss2-fapi/tpm_json_deserialize.c | 11 +++++++++--
+ src/tss2-mu/tpms-types.c             | 23 ++++++++++++++++++++++-
+ 3 files changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/src/tss2-fapi/api/Fapi_VerifyQuote.c b/src/tss2-fapi/api/Fapi_VerifyQuote.c
+index 8a0e119c..50474c6b 100644
+--- a/src/tss2-fapi/api/Fapi_VerifyQuote.c
+++ b/src/tss2-fapi/api/Fapi_VerifyQuote.c
+@@ -289,6 +289,11 @@ Fapi_VerifyQuote_Finish(
+                                      &command->fapi_quote_info);
+             goto_if_error(r, "Get quote info.", error_cleanup);
+ 
+            if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) {
+                goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
+                           "Attest without TPM2 generated value", error_cleanup);
+            }
+
+             /* Verify the signature over the attest2b structure. */
+             r = ifapi_verify_signature_quote(&key_object,
+                                              command->signature,
+diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c
+index 4c45458a..1b27a83f 100644
+--- a/src/tss2-fapi/tpm_json_deserialize.c
+++ b/src/tss2-fapi/tpm_json_deserialize.c
+@@ -698,6 +698,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
+     const char *s = json_object_get_string(jso);
+     const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL);
+     LOG_TRACE("called for %s parsing %s", s, str);
+    TSS2_RC r;
+ 
+     if (str) {
+         for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) {
+@@ -707,8 +708,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
+             }
+         }
+     }
+-
+-    return ifapi_json_UINT32_deserialize(jso, out);
+    r = ifapi_json_UINT32_deserialize(jso, out);
+    return_if_error(r, "Could not deserialize UINT32");
+    if (*out != TPM2_GENERATED_VALUE) {
+        return_error2(TSS2_FAPI_RC_BAD_VALUE,
+                      "Value %x not equal TPM self generated value %x",
+                      *out, TPM2_GENERATED_VALUE);
+    }
+    return TSS2_RC_SUCCESS;
+ }
+ 
+ /** Deserialize a TPM2_ALG_ID json object.
+diff --git a/src/tss2-mu/tpms-types.c b/src/tss2-mu/tpms-types.c
+index 3ad72520..56aca0c3 100644
+--- a/src/tss2-mu/tpms-types.c
+++ b/src/tss2-mu/tpms-types.c
+@@ -22,6 +22,27 @@
+ #define VAL
+ #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0]))
+ 
+static TSS2_RC
+TPM2_GENERATED_Unmarshal(
+    uint8_t const   buffer[],
+    size_t          buffer_size,
+    size_t         *offset,
+    TPM2_GENERATED *magic)
+{
+    TPM2_GENERATED mymagic = 0;
+    TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic);
+    if (rc != TSS2_RC_SUCCESS) {
+        return rc;
+    }
+    if (mymagic != TPM2_GENERATED_VALUE) {
+        LOG_ERROR("Bad magic in tpms_attest");
+        return TSS2_SYS_RC_BAD_VALUE;
+    }
+    if (magic != NULL)
+        *magic = mymagic;
+    return TSS2_RC_SUCCESS;
+}
+
+ #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \
+ TSS2_RC \
+ Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \
+@@ -1219,7 +1240,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST,
+                  attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal)
+ 
+ TPMS_UNMARSHAL_7_U(TPMS_ATTEST,
+-                   magic, Tss2_MU_UINT32_Unmarshal,
+                   magic, TPM2_GENERATED_Unmarshal,
+                    type, Tss2_MU_TPM2_ST_Unmarshal,
+                    qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal,
+                    extraData, Tss2_MU_TPM2B_DATA_Unmarshal,
+-- 
+2.33.0
+
--- a/backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch
+++ b/backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch
@ -0,0 +1,91 @@
+From 218c0da8d9f675766b1de502a52e23a3aa52648e Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Wed, 22 Mar 2023 10:54:59 +0100
+Subject: [PATCH] FAPI: Skip test fapi-fix-provisioning-with template if no
+ certificate is available.
+
+If the configure option --enable-self-generated-certificate is not used this
+test can't be executed because no certificate will be stored in NV ram. The
+test will be skipped if no certificate is available.
+Fixes: #2558
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ .../fapi-provisioning-with-template.int.c     | 40 ++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/test/integration/fapi-provisioning-with-template.int.c b/test/integration/fapi-provisioning-with-template.int.c
+index 54c724f5..74184cdc 100644
+--- a/test/integration/fapi-provisioning-with-template.int.c
+++ b/test/integration/fapi-provisioning-with-template.int.c
+@@ -4,6 +4,8 @@
+ #endif
+ 
+ #include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+ 
+ #include "tss2_esys.h"
+ #include "tss2_fapi.h"
+@@ -31,6 +33,39 @@
+  * @retval EXIT_SKIP
+  *
+  */
+static bool
+fapi_ek_certless()
+{
+    FILE *stream = NULL;
+    long config_size;
+    char *config = NULL;
+    char *fapi_config_file = getenv("TSS2_FAPICONF");
+
+    stream = fopen(fapi_config_file, "r");
+    if (!stream) {
+        LOG_ERROR("File %s does not exist", fapi_config_file);
+        return NULL;
+    }
+    fseek(stream, 0L, SEEK_END);
+    config_size = ftell(stream);
+    fclose(stream);
+    config = malloc(config_size + 1);
+    stream = fopen(fapi_config_file, "r");
+    ssize_t ret = read(fileno(stream), config, config_size);
+    if (ret != config_size) {
+        LOG_ERROR("IO error %s.", fapi_config_file);
+        return NULL;
+    }
+    config[config_size] = '\0';
+    if (strstr(config, "\"ek_cert_less\": \"yes\"") == NULL) {
+        SAFE_FREE(config);
+        return false;
+    } else {
+        SAFE_FREE(config);
+        return true;
+    }
+}
+
+ int
+ test_fapi_provision_template(FAPI_CONTEXT *context)
+ {
+@@ -151,6 +186,9 @@ test_fapi_provision_template(FAPI_CONTEXT *context)
+     TPM2B_AUTH auth = { .size = 0, .buffer = {} };
+     TPM2B_MAX_NV_BUFFER nv_data;
+ 
+    if (fapi_ek_certless())
+        return EXIT_SKIP;
+
+     if (strcmp(FAPI_PROFILE, "P_ECC") == 0) {
+         nv_template_idx = ecc_nv_template_idx;
+         nv_nonce_idx = ecc_nv_nonce_idx;
+@@ -169,7 +207,7 @@ test_fapi_provision_template(FAPI_CONTEXT *context)
+     r = Esys_Initialize(&esys_ctx, tcti, NULL);
+     goto_if_error(r, "Error Esys_Initialize", error);
+ 
+-     /*
+    /*
+      * Store template (marshaled TPMT_PUBLIC) in NV ram.
+      */
+     r = Tss2_MU_TPMT_PUBLIC_Marshal(&in_public, &nv_data.buffer[0],
+-- 
+2.33.0
+
--- a/tpm2-tss.spec
+++ b/tpm2-tss.spec
@ -1,11 +1,14 @@
 Name:          tpm2-tss
 Version:       4.0.1
-Release:       1
+Release:       2
 Summary:       TPM2.0 Software Stack
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tss
 Source0:       https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz

+Patch0001:     backport-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch
+Patch0002:     backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch
+
 BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel util-linux-devel
 BuildRequires: curl >= 7.80.0 libcmocka-devel iproute uthash-devel swtpm

@ -71,6 +74,9 @@ make check
 %{_mandir}/man*/*

 %changelog
+* Wed May 8 2024 jinlun <jinlun@huawei.com> - 4.0.1-2
+- fix CVE-2024-29040 and fix test check error
+
 * Tue Jan 23 2024 jinlun <jinlun@huawei.com> - 4.0.1-1
 - Type:enhancement
 - ID:NA