Headline
CVE-2023-22745: tss2_rc: ensure layer number is in bounds · tpm2-software/tpm2-tss@306490c
tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions Tss2_RC_SetHandler and Tss2_RC_Decode both index into layer_handler with an 8 bit layer number, but the array only has TPM2_ERROR_TSS2_RC_LAYER_COUNT entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.
Permalink
Browse files
tss2_rc: ensure layer number is in bounds
The layer handler array was defined as 255, the max number of uint8, which is the size of the layer field, however valid values are 0-255 allowing for 256 possibilities and thus the array was off by one and needed to be sized to 256 entries. Update the size and add tests.
Note: previous implementations incorrectly dropped bits on unknown error output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF, but earlier implementations returned 255:0xFFFF, dropping the middle bits, this patch fixes that.
Fixes: CVE-2023-22745
Signed-off-by: William Roberts [email protected]
- Loading branch information
Related news
Red Hat Security Advisory 2024-4408-03 - An update for tpm2-tss is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Ubuntu Security Notice 6796-1 - Fergus Dall discovered that TPM2 Software Stack did not properly handle layer arrays. An attacker could possibly use this issue to cause TPM2 Software Stack to crash, resulting in a denial of service, or possibly execute arbitrary code. Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not validate the quote data after deserialization. An attacker could generate an arbitrary quote and cause TPM2 Software Stack to have unknown behavior.
Red Hat Security Advisory 2023-7166-01 - An update for tpm2-tss is now available for Red Hat Enterprise Linux 8.