Skip to content

Commit b8c22cc

Browse files
aidangarskeaidangarske
committed
Fix Fenrir findings #342, #536, #537, #538, #541, #542, #543, #544, #545, #546, #547, #878, #879, #880, #883, #884, #885, #886
1 parent 664db13 commit b8c22cc

3 files changed

Lines changed: 52 additions & 7 deletions

File tree

src/tpm2.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5866,7 +5866,8 @@ int TPM2_GetNonceNoLock(byte* nonceBuf, int nonceSz)
58665866
}
58675867

58685868
TPM2_Packet_ParseU16(&packet, &outSz);
5869-
if (outSz > MAX_RNG_REQ_SIZE) {
5869+
if (outSz == 0 || outSz > MAX_RNG_REQ_SIZE ||
5870+
outSz > (UINT16)(nonceSz - randSz)) {
58705871
#ifdef DEBUG_WOLFTPM
58715872
printf("TPM2_GetNonce out size error\n");
58725873
#endif

src/tpm2_swtpm.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -260,7 +260,7 @@ static TPM_RC SwTpmDisconnect(TPM2_CTX* ctx)
260260
*/
261261
int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
262262
{
263-
int rc = TPM_RC_FAILURE;
263+
int rc = TPM_RC_SUCCESS;
264264
int rspSz = 0;
265265
uint32_t tss_word;
266266

src/tpm2_wrap.c

Lines changed: 49 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -540,6 +540,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
540540
runner += sizeof(key->pub.size);
541541
done_reading += sizeof(key->pub.size);
542542

543+
if (key->pub.size > sizeof(pubAreaBuffer) - sizeof(UINT16)) {
544+
#ifdef DEBUG_WOLFTPM
545+
printf("Public key size too large (%d > %d)\n",
546+
key->pub.size, (int)(sizeof(pubAreaBuffer) - sizeof(UINT16)));
547+
#endif
548+
return BUFFER_E;
549+
}
550+
543551
if (bufferSz < done_reading + sizeof(UINT16) + key->pub.size) {
544552
#ifdef DEBUG_WOLFTPM
545553
printf("Buffer size check failed (%d)\n", bufferSz);
@@ -569,6 +577,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
569577
runner += sizeof(key->priv.size);
570578
done_reading += sizeof(key->priv.size);
571579

580+
if (key->priv.size > sizeof(key->priv.buffer)) {
581+
#ifdef DEBUG_WOLFTPM
582+
printf("Private key size too large (%d > %d)\n",
583+
key->priv.size, (int)sizeof(key->priv.buffer));
584+
#endif
585+
return BUFFER_E;
586+
}
587+
572588
if (bufferSz < done_reading + key->priv.size) {
573589
#ifdef DEBUG_WOLFTPM
574590
printf("Buffer size check failed (%d)\n", bufferSz);
@@ -1032,7 +1048,7 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
10321048
{
10331049
const TPM2B_AUTH* auth = NULL;
10341050
const TPM2B_NAME* name = NULL;
1035-
if (dev == NULL || index >= MAX_SESSION_NUM) {
1051+
if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) {
10361052
return BAD_FUNC_ARG;
10371053
}
10381054

@@ -1064,7 +1080,10 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
10641080
XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer,
10651081
handle->auth.size);
10661082
session->name.size = handle->name.size;
1067-
XMEMCPY(session->name.name, handle->name.name, handle->name.size);
1083+
if (session->name.size > sizeof(session->name.name)) {
1084+
session->name.size = sizeof(session->name.name);
1085+
}
1086+
XMEMCPY(session->name.name, handle->name.name, session->name.size);
10681087
return TPM_RC_SUCCESS;
10691088
}
10701089
auth = &handle->auth;
@@ -1079,7 +1098,7 @@ int wolfTPM2_SetAuthHandleName(WOLFTPM2_DEV* dev, int index,
10791098
const TPM2B_NAME* name = NULL;
10801099
TPM2_AUTH_SESSION* session;
10811100

1082-
if (dev == NULL || handle == NULL || index >= MAX_SESSION_NUM) {
1101+
if (dev == NULL || handle == NULL || index < 0 || index >= MAX_SESSION_NUM) {
10831102
return BAD_FUNC_ARG;
10841103
}
10851104

@@ -1136,7 +1155,7 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
11361155
{
11371156
int rc;
11381157

1139-
if (dev == NULL || index >= MAX_SESSION_NUM) {
1158+
if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) {
11401159
return BAD_FUNC_ARG;
11411160
}
11421161

@@ -1596,6 +1615,8 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm
15961615

15971616
wc_FreeRsaKey(&rsaKey);
15981617
wc_FreeRng(&rng);
1618+
TPM2_ForceZero(&rsaKey, sizeof(rsaKey));
1619+
TPM2_ForceZero(&rng, sizeof(rng));
15991620

16001621
if (rc > 0) {
16011622
rc = (rc == secret->size) ? 0 /* success */ : BUFFER_E /* fail */;
@@ -2939,6 +2960,9 @@ int wolfTPM2_ImportEccPrivateKeySeed(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* pare
29392960
if (rc == 0) {
29402961
rc = wolfTPM2_ImportPrivateKey(dev, parentKey, keyBlob, &pub, &sens);
29412962
}
2963+
2964+
TPM2_ForceZero(&sens, sizeof(sens));
2965+
29422966
return rc;
29432967
}
29442968

@@ -3684,6 +3708,10 @@ int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
36843708
/* not used */
36853709
(void)p;
36863710

3711+
TPM2_ForceZero(d, sizeof(d));
3712+
TPM2_ForceZero(p, sizeof(p));
3713+
TPM2_ForceZero(q, sizeof(q));
3714+
36873715
return rc;
36883716
}
36893717

@@ -3728,6 +3756,10 @@ int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKe
37283756

37293757
/* not used */
37303758
(void)p;
3759+
3760+
TPM2_ForceZero(d, sizeof(d));
3761+
TPM2_ForceZero(p, sizeof(p));
3762+
TPM2_ForceZero(q, sizeof(q));
37313763
}
37323764
else {
37333765
/* export the raw public RSA portion */
@@ -3911,6 +3943,8 @@ int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
39113943
qx, qxSz, qy, qySz, d, dSz);
39123944
}
39133945

3946+
TPM2_ForceZero(d, sizeof(d));
3947+
39143948
return rc;
39153949
}
39163950

@@ -3986,6 +4020,8 @@ int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
39864020
rc = wolfTPM2_LoadEccPrivateKey(dev, parentKey, tpmKey, curve_id,
39874021
qx, qxSz, qy, qySz, d, dSz);
39884022
}
4023+
4024+
TPM2_ForceZero(d, sizeof(d));
39894025
}
39904026
else {
39914027
/* export the raw public ECC portion */
@@ -5231,6 +5267,10 @@ int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle,
52315267
WOLFTPM2_NV nv;
52325268
TPMS_NV_PUBLIC nvPublic;
52335269

5270+
if (len == NULL) {
5271+
return BAD_FUNC_ARG;
5272+
}
5273+
52345274
XMEMSET(&nvPublic, 0, sizeof(nvPublic));
52355275
XMEMSET(&nv, 0, sizeof(nv));
52365276

@@ -5530,7 +5570,7 @@ int wolfTPM2_GetRandom(WOLFTPM2_DEV* dev, byte* buf, word32 len)
55305570
}
55315571

55325572
sz = out.randomBytes.size; /* use actual returned size */
5533-
if (sz > MAX_RNG_REQ_SIZE) {
5573+
if (sz == 0 || sz > MAX_RNG_REQ_SIZE || sz > (len - pos)) {
55345574
#ifdef DEBUG_WOLFTPM
55355575
printf("wolfTPM2_GetRandom out size error\n");
55365576
#endif
@@ -5857,6 +5897,8 @@ int wolfTPM2_LoadSymmetricKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int alg,
58575897

58585898
exit:
58595899

5900+
TPM2_ForceZero(&loadExtIn, sizeof(loadExtIn));
5901+
58605902
if (rc != TPM_RC_SUCCESS) {
58615903
#ifdef DEBUG_WOLFTPM
58625904
printf("TPM2_LoadExternal: failed %d: %s\n",
@@ -6097,6 +6139,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
60976139
(word32)key->handle.hndl);
60986140
#endif
60996141

6142+
TPM2_ForceZero(&createIn, sizeof(createIn));
6143+
61006144
return rc;
61016145
}
61026146

0 commit comments

Comments
 (0)