Headline
GHSA-w3vw-ccc5-qr8v: Use After Free in Context::start_auth_session
Impact
This issue only applies to applications starting authorization sessions using an explicit initial nonce.
When Context::start_auth_session was called with a nonce argument value of Some(...), the nonce pointer passed down through FFI to Esys_StartAuthSession would be a dangling pointer, left over from a defunct instance of TPM2B_NONCE. This could lead to an incorrect value being used as a nonce, though whether that value is controllable is unclear (so should be assumed as possible). The error became apparent due to changes in v1.61.0 of the Rust compiler.
Logs indicating a failure due to this issue (with the 1.61.0 version of the Rust toolchain) look as follows:
2022-05-24T01:04:41.9131341Z WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
2022-05-24T01:04:41.9132192Z ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000001d5)
2022-05-24T01:04:41.9145124Z [2022-05-24T01:04:41Z ERROR tss_esapi::context::tpm_commands::session_commands] Error when creating a session: structure is the wrong size (associated with parameter number 1)
2022-05-24T01:04:41.9153816Z thread 'main' panicked at 'Call to start_auth_session failed: Tss2Error(FormatOne(FormatOneResponseCode { .0: 469, error_number: 21, parameter: true, format_selector: true, number: 1 }))', tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs:870:14
Patches
The issue has been patched in versions 6 and 7 of the tss-esapi crate. Please update to 7.1.0 or 6.1.2.
Workarounds
There is no workaround that achieves the same functionality.
References
For more information on the cause of the issue and the fix, see this PR.
For more details about the TPM2_StartAuthSession command see section 11.1 of the TPM spec, part 3, and section 19.6.3 of part 1 of the same spec for more information regarding session nonces.
For more information
If you have any questions or comments about this advisory:
- Open an issue or discussion in our repo
- Get in touch on our Slack channel
Impact
This issue only applies to applications starting authorization sessions using an explicit initial nonce.
When Context::start_auth_session was called with a nonce argument value of Some(…), the nonce pointer passed down through FFI to Esys_StartAuthSession would be a dangling pointer, left over from a defunct instance of TPM2B_NONCE. This could lead to an incorrect value being used as a nonce, though whether that value is controllable is unclear (so should be assumed as possible). The error became apparent due to changes in v1.61.0 of the Rust compiler.
Logs indicating a failure due to this issue (with the 1.61.0 version of the Rust toolchain) look as follows:
2022-05-24T01:04:41.9131341Z WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
2022-05-24T01:04:41.9132192Z ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000001d5)
2022-05-24T01:04:41.9145124Z [2022-05-24T01:04:41Z ERROR tss_esapi::context::tpm_commands::session_commands] Error when creating a session: structure is the wrong size (associated with parameter number 1)
2022-05-24T01:04:41.9153816Z thread 'main' panicked at 'Call to start_auth_session failed: Tss2Error(FormatOne(FormatOneResponseCode { .0: 469, error_number: 21, parameter: true, format_selector: true, number: 1 }))', tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs:870:14
Patches
The issue has been patched in versions 6 and 7 of the tss-esapi crate. Please update to 7.1.0 or 6.1.2.
Workarounds
There is no workaround that achieves the same functionality.
References
For more information on the cause of the issue and the fix, see this PR.
For more details about the TPM2_StartAuthSession command see section 11.1 of the TPM spec, part 3, and section 19.6.3 of part 1 of the same spec for more information regarding session nonces.
For more information
If you have any questions or comments about this advisory:
- Open an issue or discussion in our repo
- Get in touch on our Slack channel
References
- GHSA-w3vw-ccc5-qr8v