!42 fix CVE-2024-29038 and CVE-2024-29039

From: @cenhuilin 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

0001-tpm2_getcap-fix-misspelling-of-TPM2_PT_HR_-constants.patch

@@ -1,104 +0,0 @@
-From 7e9bb6c3a91a5da2792010f42df88ab9f80e8093 Mon Sep 17 00:00:00 2001
-From: Matthew Dempsky <matthew@dempsky.org>
-Date: Tue, 27 Aug 2019 18:11:27 -0700
-Subject: [PATCH] tpm2_getcap: fix misspelling of TPM2_PT_HR_ constants
-
-tpm2-tss mispelled some of these constants as TPM2_PT_TPM2_HR_*
-instead of just TPM2_PT_HR_*, and tpm2_getcap blindly followed suit.
-
-This commit switches tpm2_getcap to use the proper names, and to
-define them locally if they're missing. Once tpm2-tools can assume a
-fixed tpm2-tss, this workaround can be removed.
-
-Updates tpm2-software/tpm2-tss#1500.
-
-Signed-off-by: Matthew Dempsky <matthew@dempsky.org>
----
- tools/tpm2_getcap.c | 37 +++++++++++++++++++++++++------------
- 1 file changed, 25 insertions(+), 12 deletions(-)
-
-diff --git a/tools/tpm2_getcap.c b/tools/tpm2_getcap.c
-index 9b15e3b..8b753dd 100644
---- a/tools/tpm2_getcap.c
-+++ b/tools/tpm2_getcap.c
-@@ -38,6 +38,19 @@
- #include "tpm2_tool.h"
- #include "tpm2_util.h"
- 
-+/*
-+ * Older versions of tpm2-tss misspelled these constants' names.
-+ * See https://github.com/tpm2-software/tpm2-tss/issues/1500.
-+ */
-+#ifndef TPM2_PT_HR_TRANSIENT_MIN
-+#define TPM2_PT_HR_TRANSIENT_MIN    ((TPM2_PT) (TPM2_PT_FIXED + 14))
-+#define TPM2_PT_HR_PERSISTENT_MIN   ((TPM2_PT) (TPM2_PT_FIXED + 15))
-+#define TPM2_PT_HR_NV_INDEX         ((TPM2_PT) (TPM2_PT_VAR + 2))
-+#define TPM2_PT_HR_TRANSIENT_AVAIL  ((TPM2_PT) (TPM2_PT_VAR + 7))
-+#define TPM2_PT_HR_PERSISTENT       ((TPM2_PT) (TPM2_PT_VAR + 8))
-+#define TPM2_PT_HR_PERSISTENT_AVAIL ((TPM2_PT) (TPM2_PT_VAR + 9))
-+#endif
-+
- /* convenience macro to convert flags into "set" / "clear" strings */
- #define prop_str(val) val ? "set" : "clear"
- /* number of eleents in the capability_map array */
-@@ -313,11 +313,11 @@ dump_tpm_properties_fixed (TPMS_TAGGED_PROPERTY properties[],
-         case TPM2_PT_INPUT_BUFFER:
-             tpm2_tool_output ("TPM2_PT_INPUT_BUFFER:        0x%08x\n", value);
-             break;
--        case TPM2_PT_TPM2_HR_TRANSIENT_MIN:
--            tpm2_tool_output ("TPM2_PT_TPM2_HR_TRANSIENT_MIN:    0x%08x\n", value);
-+        case TPM2_PT_HR_TRANSIENT_MIN:
-+            tpm2_tool_output ("TPM2_PT_HR_TRANSIENT_MIN:    0x%08x\n", value);
-             break;
--        case TPM2_PT_TPM2_HR_PERSISTENT_MIN:
--            tpm2_tool_output ("TPM2_PT_TPM2_HR_PERSISTENT_MIN:   0x%08x\n", value);
-+        case TPM2_PT_HR_PERSISTENT_MIN:
-+            tpm2_tool_output ("TPM2_PT_HR_PERSISTENT_MIN:   0x%08x\n", value);
-             break;
-         case TPM2_PT_HR_LOADED_MIN:
-             tpm2_tool_output ("TPM2_PT_HR_LOADED_MIN:       0x%08x\n", value);
-@@ -428,8 +428,8 @@ dump_tpm_properties_var (TPMS_TAGGED_PROPERTY properties[],
-         case TPM2_PT_STARTUP_CLEAR:
-             dump_startup_clear_attrs ((TPMA_STARTUP_CLEAR)value);
-             break;
--        case TPM2_PT_TPM2_HR_NV_INDEX:
--            tpm2_tool_output ("TPM2_PT_TPM2_HR_NV_INDEX:          0x%08x\n", value);
-+        case TPM2_PT_HR_NV_INDEX:
-+            tpm2_tool_output ("TPM2_PT_HR_NV_INDEX:          0x%08x\n", value);
-             break;
-         case TPM2_PT_HR_LOADED:
-             tpm2_tool_output ("TPM2_PT_HR_LOADED:            0x%08x\n", value);
-@@ -443,14 +443,14 @@ dump_tpm_properties_var (TPMS_TAGGED_PROPERTY properties[],
-         case TPM2_PT_HR_ACTIVE_AVAIL:
-             tpm2_tool_output ("TPM2_PT_HR_ACTIVE_AVAIL:      0x%08x\n", value);
-             break;
--        case TPM2_PT_TPM2_HR_TRANSIENT_AVAIL:
--            tpm2_tool_output ("TPM2_PT_TPM2_HR_TRANSIENT_AVAIL:   0x%08x\n", value);
-+        case TPM2_PT_HR_TRANSIENT_AVAIL:
-+            tpm2_tool_output ("TPM2_PT_HR_TRANSIENT_AVAIL:   0x%08x\n", value);
-             break;
--        case TPM2_PT_TPM2_HR_PERSISTENT:
--            tpm2_tool_output ("TPM2_PT_TPM2_HR_PERSISTENT:        0x%08x\n", value);
-+        case TPM2_PT_HR_PERSISTENT:
-+            tpm2_tool_output ("TPM2_PT_HR_PERSISTENT:        0x%08x\n", value);
-             break;
--        case TPM2_PT_TPM2_HR_PERSISTENT_AVAIL:
--            tpm2_tool_output ("TPM2_PT_TPM2_HR_PERSISTENT_AVAIL:  0x%08x\n", value);
-+        case TPM2_PT_HR_PERSISTENT_AVAIL:
-+            tpm2_tool_output ("TPM2_PT_HR_PERSISTENT_AVAIL:  0x%08x\n", value);
-             break;
-         case TPM2_PT_NV_COUNTERS:
-             tpm2_tool_output ("TPM2_PT_NV_COUNTERS:          0x%08x\n", value);
-diff --git a/tools/tpm2_listpersistent.c b/tools/tpm2_listpersistent.c
-index 45da1a4..d693e6c 100644
---- a/tools/tpm2_listpersistent.c
-+++ b/tools/tpm2_listpersistent.c
-@@ -152,7 +152,7 @@ int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) {
- 
-     UINT32 property = tpm2_util_endian_swap_32(TPM2_HT_PERSISTENT);
-     rval = TSS2_RETRY_EXP(Tss2_Sys_GetCapability(sapi_context, 0, TPM2_CAP_HANDLES,
--                                   property, TPM2_PT_TPM2_HR_PERSISTENT, &moreData,
-+                                   property, TPM2_PT_HR_PERSISTENT, &moreData,
-                                    &capabilityData, 0));
-     if(rval != TPM2_RC_SUCCESS)
-     {

Revert-objectattrs-clear-before-or-ing-in-values.patch

@@ -1,43 +0,0 @@
-From 1f3451ee7b046a590b6dfc20b6af010166670ff7 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Thu, 12 Jul 2018 19:50:26 +0200
-Subject: [PATCH 1/1] Revert "objectattrs: clear before or'ing in values"
-
-This reverts commit e103bbf5117b0b62b358fd15f18f848854fcb0ee.
-
-The tpm2-tools 3.1.0 release contains a backward incompatible change that
-was introduced by commit e103bbf5117 ("objectattrs: clear before or'ing
-in values"), that changed the way that object attributes were specified.
-
-Before there were a set of default attributes and the user could specify
-additional attributes to be used, but after the mentioned commit the user
-must specify all attributes.
-
-This is a user visible change that changes the tools semantics, so is not
-a suitable change for a MINOR version number increment, according to the
-Semantic Versioning document (https://semver.org) since it breaks rule 2:
-
-2.MINOR version when you add functionality in a backwards-compatible manner
-
-Fixes: #1097
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- lib/tpm2_attr_util.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/lib/tpm2_attr_util.c b/lib/tpm2_attr_util.c
-index d461a744c0d..e43d03f9e0a 100644
---- a/lib/tpm2_attr_util.c
-+++ b/lib/tpm2_attr_util.c
-@@ -501,7 +501,6 @@ bool tpm2_attr_util_nv_strtoattr(char *attribute_list, TPMA_NV *nvattrs) {
- 
- bool tpm2_attr_util_obj_strtoattr(char *attribute_list, TPMA_OBJECT *objattrs) {
- 
--    memset(objattrs, 0, sizeof(*objattrs));
-     return common_strtoattr(attribute_list, objattrs, obj_attr_table, ARRAY_LEN(obj_attr_table));
- }
- 
--- 
-2.17.1
-

backport-CVE-2021-3565.patch

@@ -0,0 +1,46 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
+index cfb6f20..f44326c 100644
+--- a/tools/tpm2_import.c
++++ b/tools/tpm2_import.c
+@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
+     TPM2B_DATA enc_sensitive_key = {
+         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+     };
+-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++    if(enc_sensitive_key.size < 16) {
++        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
++        return tool_rc_general_error;
++    }
++
++    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
++    if (ossl_rc != 1) {
++        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
++        return tool_rc_general_error;
++    }
+ 
+     /*
+      * Calculate the object name.
+-- 
+1.8.3.1
+

backport-CVE-2024-29038.patch

@@ -0,0 +1,30 @@
+From c9d57cae9316ab22d37db87a123e9255bfd21112 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 2 May 2024 09:53:57 +0800
+Subject: [PATCH]  init
+
+---
+ tools/misc/tpm2_checkquote.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index ca78238..6d1a9f6 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -115,6 +115,13 @@ static bool verify(void) {
+         goto err;
+     }
+ 
++    // check magic
++    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
++        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
++                ctx.attest.magic, TPM2_GENERATED_VALUE);
++        return false;
++    }
++
+     // Also ensure digest from quote matches PCR digest
+     if (ctx.flags.pcr) {
+         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
+-- 
+2.23.0
+

backport-CVE-2024-29039.patch

@@ -0,0 +1,78 @@
+From accff7c58b4d01aacdb4260b3e2a1e374a2be0df Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 2 May 2024 09:57:07 +0800
+Subject: [PATCH] backport CVE-2024-29039
+
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index 6d1a9f6..c4fdff6 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
++    if (attest_sel->count != pcr_sel->count) {
++        LOG_ERR("Selection sizes do not match.");
++        return false;
++    }
++    for (uint32_t i = 0; i < attest_sel->count; i++) {
++        for (uint32_t j = 0; j < pcr_sel->count; j++) {
++            if (attest_sel->pcrSelections[i].hash ==
++                pcr_sel->pcrSelections[j].hash) {
++                if (attest_sel->pcrSelections[i].sizeofSelect !=
++                        pcr_sel->pcrSelections[j].sizeofSelect) {
++                    LOG_ERR("Bitmask size does not match");
++                    return false;
++                }
++                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
++                           &pcr_sel->pcrSelections[j].pcrSelect[0],
++                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
++                    LOG_ERR("Selection bitmasks do not match");
++                    return false;
++                }
++                break;
++            }
++            if (j == pcr_sel->count - 1) {
++                LOG_ERR("Hash selections to not match.");
++                return false;
++            }
++        }
++    }
++    return true;
++}
++
+ static bool verify(void) {
+ 
+     bool result = false;
+@@ -381,7 +412,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
++    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs *pcrs;
+     tpm2_pcrs temp_pcrs;
+     tool_rc return_value = tool_rc_general_error;
+@@ -544,6 +575,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
++    if (ctx.flags.pcr) {
++        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
++                                   &pcr_select)) {
++            LOG_ERR("PCR selection does not match PCR slection from attest!");
++            goto err;
++        }
++    }
++
+     // Figure out the digest for this message
+     res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);
+-- 
+2.23.0
+

backport-Don-t-assume-end-of-argv-is-NULL.patch

@@ -0,0 +1,43 @@
+From fb1e0d98eca5279bf33304deedd9019b0130393a Mon Sep 17 00:00:00 2001
+From: Erik Larsson <who+github@cnackers.org>
+Date: Sat, 21 Nov 2020 10:59:13 +0100
+Subject: [PATCH] Don't assume end of argv is NULL
+
+On a musl based system argv[optind] && strcmp(...) where optind > argc might read random memory and segfault.
+
+Signed-off-by: Erik Larsson <who+github@cnackers.org>
+---
+ lib/tpm2_options.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
+index e9aaa0364..9fa583c60 100644
+--- a/lib/tpm2_options.c
++++ b/lib/tpm2_options.c
+@@ -300,7 +300,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+             if (argv[optind - 1]) {
+                 if (!strcmp(argv[optind - 1], "--help=no-man") ||
+                     !strcmp(argv[optind - 1], "-h=no-man") ||
+-                    (argv[optind] && !strcmp(argv[optind], "no-man"))) {
++                    (argc < optind && !strcmp(argv[optind], "no-man"))) {
+                     manpager = false;
+                     optind++;
+                 /*
+@@ -309,7 +309,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+                  */
+                 } else if (!strcmp(argv[optind - 1], "--help=man") ||
+                            !strcmp(argv[optind - 1], "-h=man") ||
+-                           (argv[optind] && !strcmp(argv[optind], "man"))) {
++                           (argc < optind && !strcmp(argv[optind], "man"))) {
+                     manpager = true;
+                     explicit_manpager = true;
+                     optind++;
+@@ -318,7 +318,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
+                      * argv[0] = "tool name"
+                      * argv[1] = "--help" argv[2] = 0
+                      */
+-                    if (!argv[optind] && argc == 2) {
++                    if (optind >= argc && argc == 2) {
+                         manpager = false;
+                     } else {
+                         /*

tpm2-tools.spec

@@ -1,18 +1,21 @@
 Name:          tpm2-tools
-Version:       3.1.1
-Release:       8
+Version:       5.0
+Release:       5
 Summary:       A TPM2.0 testing tool based on TPM2.0-TSS
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tools
 Source0:       https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
 
-Patch1:        Revert-objectattrs-clear-before-or-ing-in-values.patch
-Patch2:        0001-tpm2_getcap-fix-misspelling-of-TPM2_PT_HR_-constants.patch 
+Patch0:        backport-Don-t-assume-end-of-argv-is-NULL.patch
+Patch1:        backport-CVE-2021-3565.patch
+Patch2:        backport-CVE-2024-29038.patch
+Patch3:        backport-CVE-2024-29039.patch
 
 BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
-BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) git libgcrypt
-BuildRequires: libgcrypt-devel gdb
-Requires:  tpm2-tss >= 2.0.0-2
+BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt
+BuildRequires: libgcrypt-devel gdb chrpath
+Requires:  tpm2-tss >= 2.3.1
+Requires:  tpm2-tools-help = %{version}-%{release}
 Obsoletes: tpm2-tools <= 2.1.1-2
 
 %description
@@ -35,6 +38,13 @@ make %{?_smp_mflags} V=1
 rm -rf %{buildroot}
 %make_install
 
+#remove rpath
+chrpath -d %{buildroot}%{_bindir}/tss2
+chrpath -d %{buildroot}%{_bindir}/tpm2
+
+mkdir -p %{buildroot}/etc/ld.so.conf.d
+echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
+
 %check
 make check
 
@@ -48,16 +58,34 @@ make check
 
 %files
 %defattr(-,root,root)
-%license LICENSE
+%license doc/LICENSE
 %{_bindir}/*
+%{_datadir}/bash-completion/completions/tpm2*
+%{_datadir}/bash-completion/completions/tss2*
+%config(noreplace) /etc/ld.so.conf.d/*
 
 %files help
-%doc README.md CHANGELOG.md
+%doc README.md doc/CHANGELOG.md
 %{_mandir}/*/*
 
 %changelog
-* Tue May 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.1.1-8
-- add patch for tpm2-tss
+* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.0-5
+- fix CVE-2024-29038 CVE-2024-29039
+
+* Fri Nov 10 2023 fuanan <fuanan3@h-partners.com> - 5.0-4
+- remove rpath and runpath of exec files
+
+* Mon Sep 27 2021 fuanan <fuanan3@huawei.com> - 5.0-3
+- fix CVE-2021-3565
+
+* Mon May 24 2021 panxiaohe<panxiaohe@huawei.com> - 5.0-2
+- fix segmentation fault on tpm2
+
+* Mon May 24 2021 panxiaohe<panxiaohe@huawei.com> - 5.0-1
+- update to 5.0
+
+* Tue May 12 2020 wanghongzhe<wanghongzhe@openeuler.org> - 3.1.1-8
+- bugfix for tpm2-tss upgrade
 
 * Thu Mar 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.1.1-7
 - add BuildRequires: libgcrypt-devel gdb