Fix CVE-2022-23645

(cherry picked from commit 14ee956af0f4185caeca283b9dc6f2c7e152c4c0)
2022-03-09 18:01:25 +08:00 · 2022-03-09 18:01:25 +08:00 · 45fd9b3c6e
commit 45fd9b3c6e
parent 3bf960771a
2 changed files with 57 additions and 2 deletions
--- a/CVE-2022-23645.patch
+++ b/CVE-2022-23645.patch
@ -0,0 +1,51 @@
+From c518445f9fddc786f191f4f5926bf483fa2bd1ff Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Wed, 16 Feb 2022 11:17:47 -0500
+Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
+ 375869)
+
+This fix addresses Coverity issue CID 375869.
+
+Check the header size indicated in the header of the state against the
+expected size and return an error code in case the header size indicator
+is different. There was only one header size so far since blobheader was
+introduced, so we don't need to deal with different sizes.
+
+Without this fix a specially crafted header could cause out-of-bounds
+accesses on the byte array containing the swtpm's state.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/swtpm/swtpm_nvfile.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
+index dc7cfbf1..0efb9da8 100644
+--- a/src/swtpm/swtpm_nvfile.c
+++ b/src/swtpm/swtpm_nvfile.c
+@@ -1260,6 +1260,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
+                         uint8_t *hdrversion, bool quiet)
+ {
+     blobheader *bh = (blobheader *)data;
+    uint16_t hdrsize;
+ 
+     if (length < sizeof(bh)) {
+         if (!quiet)
+@@ -1285,8 +1286,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
+         return TPM_BAD_VERSION;
+     }
+ 
+    hdrsize = ntohs(bh->hdrsize);
+    if (hdrsize != sizeof(blobheader)) {
+        logprintf(STDERR_FILENO,
+                  "bad header size: %u != %zu\n",
+                  hdrsize, sizeof(blobheader));
+        return TPM_BAD_DATASIZE;
+    }
+
+     *hdrversion = bh->version;
+-    *dataoffset = ntohs(bh->hdrsize);
+    *dataoffset = hdrsize;
+     *hdrflags = ntohs(bh->flags);
+ 
+     return TPM_SUCCESS;
--- a/swtpm.spec
+++ b/swtpm.spec
@ -12,10 +12,11 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.3.3
-Release:        2
+Release:        3
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
+Patch0:         CVE-2022-23645.patch

 BuildRequires:  automake
 BuildRequires:  autoconf
@ -74,7 +75,7 @@ Requires:       trousers >= 0.3.9 tpm-tools >= 1.3.8-6 expect bash net-tools gnu
 Tools for the TPM emulator from the swtpm package

 %prep
-%autosetup -n %{name}-%{gitcommit}
+%autosetup -n %{name}-%{gitcommit} -p1

 %build

@ -163,6 +164,9 @@ fi
 %attr( 755, tss, tss) %{_localstatedir}/lib/swtpm-localca

 %changelog
+* Wed Mar 9 2022 yaoxin <yaoxin30@huawei.com> - 0.3.3-3
+- Fix CVE-2022-23645
+
 * Tue Sep 15 2020 jiangfangjie <jiangfangjie@huawei.com> - 0.3.3-2
 - update spec file and disable test case pkcs11