!53 修复漏洞CVE-2024-29040

From: @jinlun123123 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

backport-CVE-2023-22745.patch

@@ -0,0 +1,139 @@
+From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Thu, 19 Jan 2023 11:53:06 -0600
+Subject: [PATCH] tss2_rc: ensure layer number is in bounds
+
+The layer handler array was defined as 255, the max number of uint8,
+which is the size of the layer field, however valid values are 0-255
+allowing for 256 possibilities and thus the array was off by one and
+needed to be sized to 256 entries. Update the size and add tests.
+
+Note: previous implementations incorrectly dropped bits on unknown error
+output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
+but earlier implementations returned 255:0xFFFF, dropping the middle
+bits, this patch fixes that.
+
+Fixes: CVE-2023-22745
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/tss2-rc/tss2_rc.c    | 31 +++++++++++++++++++++----------
+ test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
+ 2 files changed, 41 insertions(+), 11 deletions(-)
+
+diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
+index 15ced56..4e14659 100644
+--- a/src/tss2-rc/tss2_rc.c
++++ b/src/tss2-rc/tss2_rc.c
+@@ -1,5 +1,8 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+-
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++#include <assert.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
+ static struct {
+     char name[TSS2_ERR_LAYER_NAME_MAX];
+     TSS2_RC_HANDLER handler;
+-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
++} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
+     ADD_HANDLER("tpm" , tpm2_ehandler),
+     ADD_NULL_HANDLER,                       /* layer 1  is unused */
+     ADD_NULL_HANDLER,                       /* layer 2  is unused */
+@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
+     static __thread char buf[32];
+ 
+     clearbuf(buf);
+-    catbuf(buf, "0x%X", tpm2_error_get(rc));
++    catbuf(buf, "0x%X", rc);
+ 
+     return buf;
+ }
+@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
+         catbuf(buf, "%u:", layer);
+     }
+ 
+-    handler = !handler ? unknown_layer_handler : handler;
+-
+     /*
+      * Handlers only need the error bits. This way they don't
+      * need to concern themselves with masking off the layer
+      * bits or anything else.
+      */
+-    UINT16 err_bits = tpm2_error_get(rc);
+-    const char *e = err_bits ? handler(err_bits) : "success";
+-    if (e) {
+-        catbuf(buf, "%s", e);
++    if (handler) {
++        UINT16 err_bits = tpm2_error_get(rc);
++        const char *e = err_bits ? handler(err_bits) : "success";
++        if (e) {
++            catbuf(buf, "%s", e);
++        } else {
++            catbuf(buf, "0x%X", err_bits);
++        }
+     } else {
+-        catbuf(buf, "0x%X", err_bits);
++        /*
++         * we don't want to drop any bits if we don't know what to do with it
++         * so drop the layer byte since we we already have that.
++         */
++        const char *e = unknown_layer_handler(rc >> 8);
++        assert(e);
++        catbuf(buf, "%s", e);
+     }
+ 
+     return buf;
+diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
+index f4249b7..6d8428b 100644
+--- a/test/unit/test_tss2_rc.c
++++ b/test/unit/test_tss2_rc.c
+@@ -199,7 +199,7 @@ test_custom_handler(void **state)
+      * Test an unknown layer
+      */
+     e = Tss2_RC_Decode(rc);
+-    assert_string_equal(e, "1:0x2A");
++    assert_string_equal(e, "1:0x100");
+ }
+ 
+ static void
+@@ -282,6 +282,23 @@ test_tcti(void **state)
+     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
+ }
+ 
++static void
++test_all_FFs(void **state)
++{
++    (void) state;
++
++    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
++    assert_string_equal(e, "255:0xFFFFFF");
++}
++
++static void
++test_all_FFs_set_handler(void **state)
++{
++    (void) state;
++    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
++    Tss2_RC_SetHandler(0xFF, NULL, NULL);
++}
++
+ /* link required symbol, but tpm2_tool.c declares it AND main, which
+  * we have a main below for cmocka tests.
+  */
+@@ -313,6 +330,8 @@ main(int argc, char* argv[])
+             cmocka_unit_test(test_esys),
+             cmocka_unit_test(test_mu),
+             cmocka_unit_test(test_tcti),
++            cmocka_unit_test(test_all_FFs),
++            cmocka_unit_test(test_all_FFs_set_handler)
+     };
+ 
+     return cmocka_run_group_tests(tests, NULL, NULL);
+-- 
+2.27.0
+

backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch

@@ -0,0 +1,112 @@
+From 710cd0b6adf3a063f34a8e92da46df7a107d9a99 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Tue, 31 Oct 2023 11:08:41 +0100
+Subject: [PATCH] FAPI: Fix check of magic number in verify quote.
+
+After deserializing the quote info it was not checked whether
+the magic number in the attest is equal TPM2_GENERATED_VALUE.
+So an malicious attacker could generate arbitrary quote data
+which was not detected by Fapi_VerifyQuote.
+Now the number magic number is checket in verify quote and also
+in the deserialization of TPM2_GENERATED.
+The check is also added to the Unmarshal function for TPMS_ATTEST.
+
+Fixes: CVE-2024-29040
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ src/tss2-fapi/api/Fapi_VerifyQuote.c |  5 +++++
+ src/tss2-fapi/tpm_json_deserialize.c | 11 +++++++++--
+ src/tss2-mu/tpms-types.c             | 23 ++++++++++++++++++++++-
+ 3 files changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/src/tss2-fapi/api/Fapi_VerifyQuote.c b/src/tss2-fapi/api/Fapi_VerifyQuote.c
+index 8a0e119c..50474c6b 100644
+--- a/src/tss2-fapi/api/Fapi_VerifyQuote.c
++++ b/src/tss2-fapi/api/Fapi_VerifyQuote.c
+@@ -289,6 +289,11 @@ Fapi_VerifyQuote_Finish(
+                                      &command->fapi_quote_info);
+             goto_if_error(r, "Get quote info.", error_cleanup);
+ 
++            if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) {
++                goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
++                           "Attest without TPM2 generated value", error_cleanup);
++            }
++
+             /* Verify the signature over the attest2b structure. */
+             r = ifapi_verify_signature_quote(&key_object,
+                                              command->signature,
+diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c
+index 4c45458a..1b27a83f 100644
+--- a/src/tss2-fapi/tpm_json_deserialize.c
++++ b/src/tss2-fapi/tpm_json_deserialize.c
+@@ -698,6 +698,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
+     const char *s = json_object_get_string(jso);
+     const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL);
+     LOG_TRACE("called for %s parsing %s", s, str);
++    TSS2_RC r;
+ 
+     if (str) {
+         for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) {
+@@ -707,8 +708,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
+             }
+         }
+     }
+-
+-    return ifapi_json_UINT32_deserialize(jso, out);
++    r = ifapi_json_UINT32_deserialize(jso, out);
++    return_if_error(r, "Could not deserialize UINT32");
++    if (*out != TPM2_GENERATED_VALUE) {
++        return_error2(TSS2_FAPI_RC_BAD_VALUE,
++                      "Value %x not equal TPM self generated value %x",
++                      *out, TPM2_GENERATED_VALUE);
++    }
++    return TSS2_RC_SUCCESS;
+ }
+ 
+ /** Deserialize a TPM2_ALG_ID json object.
+diff --git a/src/tss2-mu/tpms-types.c b/src/tss2-mu/tpms-types.c
+index 3ad72520..56aca0c3 100644
+--- a/src/tss2-mu/tpms-types.c
++++ b/src/tss2-mu/tpms-types.c
+@@ -22,6 +22,27 @@
+ #define VAL
+ #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0]))
+ 
++static TSS2_RC
++TPM2_GENERATED_Unmarshal(
++    uint8_t const   buffer[],
++    size_t          buffer_size,
++    size_t         *offset,
++    TPM2_GENERATED *magic)
++{
++    TPM2_GENERATED mymagic = 0;
++    TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic);
++    if (rc != TSS2_RC_SUCCESS) {
++        return rc;
++    }
++    if (mymagic != TPM2_GENERATED_VALUE) {
++        LOG_ERROR("Bad magic in tpms_attest");
++        return TSS2_SYS_RC_BAD_VALUE;
++    }
++    if (magic != NULL)
++        *magic = mymagic;
++    return TSS2_RC_SUCCESS;
++}
++
+ #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \
+ TSS2_RC \
+ Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \
+@@ -1219,7 +1240,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST,
+                  attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal)
+ 
+ TPMS_UNMARSHAL_7_U(TPMS_ATTEST,
+-                   magic, Tss2_MU_UINT32_Unmarshal,
++                   magic, TPM2_GENERATED_Unmarshal,
+                    type, Tss2_MU_TPM2_ST_Unmarshal,
+                    qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal,
+                    extraData, Tss2_MU_TPM2B_DATA_Unmarshal,
+-- 
+2.33.0
+

tpm2-tss.spec

@@ -1,11 +1,14 @@
 Name:          tpm2-tss
-Version:       2.4.0
-Release:       1
+Version:       3.0.3
+Release:       3
 Summary:       TPM2.0 Software Stack
-License:       BSD and TCGL
+License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tss
 Source0:       https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
 
+Patch1:        backport-CVE-2023-22745.patch
+Patch2:        backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch
+
 BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel json-c-devel libcurl-devel doxygen
 
 %description
@@ -27,7 +30,8 @@ Obsoletes: %{name}-static
 %autosetup -n %{name}-%{version} -p1
 
 %build
-%configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=80-
+%configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=80- \
+           --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir}
 
 %make_build
 
@@ -50,9 +54,9 @@ make check
 %defattr(-,root,root)
 %doc README.md CHANGELOG.md
 %license LICENSE
-%{_sysconfdir}/sysusers.d/tpm2-tss.conf
-%{_sysconfdir}/tmpfiles.d/tpm2-tss-fapi.conf
 %{_sysconfdir}/tpm2-tss/
+%{_sysusersdir}/tpm2-tss.conf
+%{_tmpfilesdir}/tpm2-tss-fapi.conf
 %{_libdir}/*.so.*
 %{_libdir}/*.so
 %{_udevrulesdir}/80-tpm-udev.rules
@@ -68,6 +72,34 @@ make check
 %{_mandir}/man*/*
 
 %changelog
+* Wed May 8 2024 jinlun <jinlun@huawei.com> - 3.0.3-3
+- fix CVE-2024-29040
+
+* Mon Feb 6 2023 jinlun<jinlun@huawei.com> - 3.0.3-2
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2023-22745
+
+* Sun Apr 25 2021 Hugel<gengqihu1@huawei.com> - 3.0.3-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:update version to 3.0.3
+       use proper rundir tmpfilesdir and sysusersdir, so proper directories are used
+
+* Thu Jan 14 2021 Hugel<gengqihu1@huawei.com> - 2.4.1-2
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2020-24455
+
+* Mon Jul 27 2020 wanghongzhe<wanghongzhe@huawei.com> - 2.4.1-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC: update to 2.4.1
+
 * Fri Apr 24 2020 wanghongzhe<wanghongzhe@huawei.com> - 2.4.0-1
 - Type:enhancement
 - ID:NA