Merge pull request #461 from aidangarske/fix-fenrir-wolftpm

Fix security vulnerabilities identified by Fenrir scanner

Author: dgarske

src/tpm2.c

@@ -851,6 +851,9 @@ TPM_RC TPM2_IncrementalSelfTest(IncrementalSelfTest_In* in,
         rc = TPM2_SendCommand(ctx, &packet);
         if (rc == TPM_RC_SUCCESS) {
             TPM2_Packet_ParseU32(&packet, &out->toDoList.count);
+            if (out->toDoList.count > MAX_ALG_LIST_SIZE) {
+                out->toDoList.count = MAX_ALG_LIST_SIZE;
+            }
             for (i=0; i<(int)out->toDoList.count; i++) {
                 TPM2_Packet_ParseU16(&packet, &out->toDoList.algorithms[i]);
             }
@@ -1163,8 +1166,16 @@ TPM_RC TPM2_PCR_Read(PCR_Read_In* in, PCR_Read_Out* out)
             TPM2_Packet_ParseU32(&packet, &out->pcrUpdateCounter);
             TPM2_Packet_ParsePCR(&packet, &out->pcrSelectionOut);
             TPM2_Packet_ParseU32(&packet, &out->pcrValues.count);
+            if (out->pcrValues.count > 8) {
+                out->pcrValues.count = 8;
+            }
             for (i=0; i<(int)out->pcrValues.count; i++) {
                 TPM2_Packet_ParseU16(&packet, &out->pcrValues.digests[i].size);
+                if (out->pcrValues.digests[i].size >
+                        sizeof(out->pcrValues.digests[i].buffer)) {
+                    out->pcrValues.digests[i].size =
+                        sizeof(out->pcrValues.digests[i].buffer);
+                }
                 TPM2_Packet_ParseBytes(&packet,
                     out->pcrValues.digests[i].buffer,
                     out->pcrValues.digests[i].size);
@@ -2685,6 +2696,9 @@ TPM_RC TPM2_EventSequenceComplete(EventSequenceComplete_In* in,
             TPM2_Packet_ParseU32(&packet, &paramSz);
 
             TPM2_Packet_ParseU32(&packet, &out->results.count);
+            if (out->results.count > HASH_COUNT) {
+                out->results.count = HASH_COUNT;
+            }
             for (i=0; i<(int)out->results.count; i++) {
                 TPM2_Packet_ParseU16(&packet,
                     &out->results.digests[i].hashAlg);
@@ -2876,7 +2890,7 @@ TPM_RC TPM2_GetSessionAuditDigest(GetSessionAuditDigest_In* in,
     if (rc == TPM_RC_SUCCESS) {
         TPM2_Packet packet;
         CmdInfo_t info = {0,0,0,0};
-        info.inHandleCnt = 2;
+        info.inHandleCnt = 3;
         info.flags = (CMD_FLAG_ENC2 | CMD_FLAG_DEC2 | CMD_FLAG_AUTH_USER1 |
             CMD_FLAG_AUTH_USER2);
 
@@ -3292,7 +3306,10 @@ TPM_RC TPM2_PCR_Event(PCR_Event_In* in, PCR_Event_Out* out)
             TPM2_Packet_ParseU32(&packet, &paramSz);
 
             TPM2_Packet_ParseU32(&packet, &out->digests.count);
-            for (i=0; (int)out->digests.count; i++) {
+            if (out->digests.count > HASH_COUNT) {
+                out->digests.count = HASH_COUNT;
+            }
+            for (i=0; i < (int)out->digests.count; i++) {
                 int digestSz;
                 TPM2_Packet_ParseU16(&packet, &out->digests.digests[i].hashAlg);
                 digestSz = TPM2_GetHashDigestSize(
@@ -4019,17 +4036,23 @@ static TPM_RC TPM2_PolicySessionOnly(TPM_CC cc, TPMI_SH_POLICY policy)
 
 TPM_RC TPM2_PolicyPhysicalPresence(PolicyPhysicalPresence_In* in)
 {
+    if (in == NULL)
+        return BAD_FUNC_ARG;
     return TPM2_PolicySessionOnly(TPM_CC_PolicyPhysicalPresence,
         in->policySession);
 }
 
 TPM_RC TPM2_PolicyAuthValue(PolicyAuthValue_In* in)
 {
+    if (in == NULL)
+        return BAD_FUNC_ARG;
     return TPM2_PolicySessionOnly(TPM_CC_PolicyAuthValue, in->policySession);
 }
 
 TPM_RC TPM2_PolicyPassword(PolicyPassword_In* in)
 {
+    if (in == NULL)
+        return BAD_FUNC_ARG;
     return TPM2_PolicySessionOnly(TPM_CC_PolicyPassword, in->policySession);
 }
 

src/tpm2_asn.c

@@ -326,6 +326,14 @@ int TPM2_ASN_DecodeRsaPubKey(uint8_t* input, int inputSz,
     if (rc == 0) {
         idx += mod_len;
         rc = TPM2_ASN_DecodeTag(input, inputSz, &idx, &exp_len, TPM2_ASN_INTEGER);
+    }
+    if (rc == 0) {
+        /* Validate exp_len and idx before accessing input buffer */
+        if (exp_len <= 0 || idx >= inputSz) {
+            rc = -1;
+        }
+    }
+    if (rc == 0) {
         if (input[idx] == 0x00) {
             idx++;
             exp_len--;

src/tpm2_cryptocb.c

@@ -613,8 +613,8 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
         if (hmacCtx && hmacCtx->hash.handle.hndl == 0) {
         #ifdef DEBUG_WOLFTPM
             printf("Error: HMAC context invalid!\n");
-            return BAD_FUNC_ARG;
         #endif
+            return BAD_FUNC_ARG;
         }
 
         if (info->hmac.in != NULL) { /* Update */

src/tpm2_linux.c

@@ -144,11 +144,12 @@ int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
                     rspSz = (int)ret;
                     rc = TPM_RC_SUCCESS;
                 }
-                else if (rspSz == 0) {
+                else if (ret == 0) {
                 #ifdef DEBUG_WOLFTPM
                     printf("Received EOF(0) from %s: errno %d = %s\n",
                         TPM2_LINUX_DEV, errno, strerror(errno));
                 #endif
+                    rc = TPM_RC_FAILURE;
                 }
                 else {
                 #ifdef DEBUG_WOLFTPM
@@ -190,6 +191,8 @@ int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
         printf("Response size: %d\n", (int)rspSz);
         TPM2_PrintBin(packet->buf, rspSz);
     }
+#else
+    (void)rspSz;
 #endif
     return rc;
 }

src/tpm2_packet.c

@@ -191,7 +191,10 @@ void TPM2_Packet_ParseBytes(TPM2_Packet* packet, byte* buf, int size)
             int sizeToCopy = size;
             if (packet->pos + sizeToCopy > packet->size)
                 sizeToCopy = packet->size - packet->pos;
-            XMEMCPY(buf, &packet->buf[packet->pos], sizeToCopy);
+            /* Guard against negative sizeToCopy (when pos > size) */
+            if (sizeToCopy > 0) {
+                XMEMCPY(buf, &packet->buf[packet->pos], sizeToCopy);
+            }
         }
         packet->pos += size;
     }
@@ -399,14 +402,32 @@ TPM_ST TPM2_Packet_AppendAuth(TPM2_Packet* packet, TPM2_CTX* ctx, CmdInfo_t* inf
 
 void TPM2_Packet_ParseAuth(TPM2_Packet* packet, TPMS_AUTH_RESPONSE* authRsp)
 {
+    UINT16 wireSize;
+
     if (authRsp == NULL)
         return;
 
-    TPM2_Packet_ParseU16(packet, &authRsp->nonce.size);
+    TPM2_Packet_ParseU16(packet, &wireSize);
+    authRsp->nonce.size = wireSize;
+    if (authRsp->nonce.size > sizeof(authRsp->nonce.buffer)) {
+        authRsp->nonce.size = sizeof(authRsp->nonce.buffer);
+    }
     TPM2_Packet_ParseBytes(packet, authRsp->nonce.buffer, authRsp->nonce.size);
+    /* Skip any remaining bytes to keep packet position synchronized */
+    if (wireSize > authRsp->nonce.size) {
+        TPM2_Packet_ParseBytes(packet, NULL, wireSize - authRsp->nonce.size);
+    }
     TPM2_Packet_ParseU8(packet, &authRsp->sessionAttributes);
-    TPM2_Packet_ParseU16(packet, &authRsp->hmac.size);
+    TPM2_Packet_ParseU16(packet, &wireSize);
+    authRsp->hmac.size = wireSize;
+    if (authRsp->hmac.size > sizeof(authRsp->hmac.buffer)) {
+        authRsp->hmac.size = sizeof(authRsp->hmac.buffer);
+    }
     TPM2_Packet_ParseBytes(packet, authRsp->hmac.buffer, authRsp->hmac.size);
+    /* Skip any remaining bytes to keep packet position synchronized */
+    if (wireSize > authRsp->hmac.size) {
+        TPM2_Packet_ParseBytes(packet, NULL, wireSize - authRsp->hmac.size);
+    }
 }
 
 void TPM2_Packet_AppendPCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr)
@@ -552,17 +573,35 @@ void TPM2_Packet_AppendEccPoint(TPM2_Packet* packet, TPMS_ECC_POINT* point)
 }
 void TPM2_Packet_ParseEccPoint(TPM2_Packet* packet, TPMS_ECC_POINT* point)
 {
+    UINT16 wireSize;
+
     if (point == NULL) {
 #ifdef DEBUG_WOLFTPM
         printf("Error null argument passed to TPM2_Packet_ParseEccPoint()\n");
 #endif
         return; /* help out static analysis */
     }
 
-    TPM2_Packet_ParseU16(packet, &point->x.size);
+    TPM2_Packet_ParseU16(packet, &wireSize);
+    point->x.size = wireSize;
+    if (point->x.size > sizeof(point->x.buffer)) {
+        point->x.size = sizeof(point->x.buffer);
+    }
     TPM2_Packet_ParseBytes(packet, point->x.buffer, point->x.size);
-    TPM2_Packet_ParseU16(packet, &point->y.size);
+    /* Skip any remaining bytes to keep packet position synchronized */
+    if (wireSize > point->x.size) {
+        TPM2_Packet_ParseBytes(packet, NULL, wireSize - point->x.size);
+    }
+    TPM2_Packet_ParseU16(packet, &wireSize);
+    point->y.size = wireSize;
+    if (point->y.size > sizeof(point->y.buffer)) {
+        point->y.size = sizeof(point->y.buffer);
+    }
     TPM2_Packet_ParseBytes(packet, point->y.buffer, point->y.size);
+    /* Skip any remaining bytes to keep packet position synchronized */
+    if (wireSize > point->y.size) {
+        TPM2_Packet_ParseBytes(packet, NULL, wireSize - point->y.size);
+    }
 }
 
 void TPM2_Packet_AppendPoint(TPM2_Packet* packet, TPM2B_ECC_POINT* point)
@@ -818,6 +857,7 @@ void TPM2_Packet_AppendSignature(TPM2_Packet* packet, TPMT_SIGNATURE* sig)
 void TPM2_Packet_ParseSignature(TPM2_Packet* packet, TPMT_SIGNATURE* sig)
 {
     int digestSz;
+    UINT16 wireSize;
 
     TPM2_Packet_ParseU16(packet, &sig->sigAlg);
 
@@ -826,21 +866,54 @@ void TPM2_Packet_ParseSignature(TPM2_Packet* packet, TPMT_SIGNATURE* sig)
     case TPM_ALG_ECDAA:
         TPM2_Packet_ParseU16(packet, &sig->signature.ecdsa.hash);
 
-        TPM2_Packet_ParseU16(packet, &sig->signature.ecdsa.signatureR.size);
+        TPM2_Packet_ParseU16(packet, &wireSize);
+        sig->signature.ecdsa.signatureR.size = wireSize;
+        if (sig->signature.ecdsa.signatureR.size >
+                sizeof(sig->signature.ecdsa.signatureR.buffer)) {
+            sig->signature.ecdsa.signatureR.size =
+                sizeof(sig->signature.ecdsa.signatureR.buffer);
+        }
         TPM2_Packet_ParseBytes(packet, sig->signature.ecdsa.signatureR.buffer,
             sig->signature.ecdsa.signatureR.size);
+        /* Skip any remaining bytes to keep packet position synchronized */
+        if (wireSize > sig->signature.ecdsa.signatureR.size) {
+            TPM2_Packet_ParseBytes(packet, NULL,
+                wireSize - sig->signature.ecdsa.signatureR.size);
+        }
 
-        TPM2_Packet_ParseU16(packet, &sig->signature.ecdsa.signatureS.size);
+        TPM2_Packet_ParseU16(packet, &wireSize);
+        sig->signature.ecdsa.signatureS.size = wireSize;
+        if (sig->signature.ecdsa.signatureS.size >
+                sizeof(sig->signature.ecdsa.signatureS.buffer)) {
+            sig->signature.ecdsa.signatureS.size =
+                sizeof(sig->signature.ecdsa.signatureS.buffer);
+        }
         TPM2_Packet_ParseBytes(packet, sig->signature.ecdsa.signatureS.buffer,
             sig->signature.ecdsa.signatureS.size);
+        /* Skip any remaining bytes to keep packet position synchronized */
+        if (wireSize > sig->signature.ecdsa.signatureS.size) {
+            TPM2_Packet_ParseBytes(packet, NULL,
+                wireSize - sig->signature.ecdsa.signatureS.size);
+        }
         break;
     case TPM_ALG_RSASSA:
     case TPM_ALG_RSAPSS:
         TPM2_Packet_ParseU16(packet, &sig->signature.rsassa.hash);
 
-        TPM2_Packet_ParseU16(packet, &sig->signature.rsassa.sig.size);
+        TPM2_Packet_ParseU16(packet, &wireSize);
+        sig->signature.rsassa.sig.size = wireSize;
+        if (sig->signature.rsassa.sig.size >
+                sizeof(sig->signature.rsassa.sig.buffer)) {
+            sig->signature.rsassa.sig.size =
+                sizeof(sig->signature.rsassa.sig.buffer);
+        }
         TPM2_Packet_ParseBytes(packet, sig->signature.rsassa.sig.buffer,
             sig->signature.rsassa.sig.size);
+        /* Skip any remaining bytes to keep packet position synchronized */
+        if (wireSize > sig->signature.rsassa.sig.size) {
+            TPM2_Packet_ParseBytes(packet, NULL,
+                wireSize - sig->signature.rsassa.sig.size);
+        }
         break;
     case TPM_ALG_HMAC:
         TPM2_Packet_ParseU16(packet, &sig->signature.hmac.hashAlg);