-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integer wraparound in tlv functions #678
Comments
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32bit number will allow for comparison against trusted 32bit number (buffer_len): if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted input data. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Thanks for reporting this one. Yes, there may be an integer wrap-around occurring in this function that can then cause crashes when reading from memory locations. Please have a look at the PR that for now only resolves the issue in |
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted input data that have a tlv.length causing an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
I would say they work on data that are as trusted as the pflash files for EFI code and variables and the virtual machine image(s)... they should be susceptible to malicious root only. |
Cool, that's good news. The pull request looks good to me. Thanks for the quick turnarounds! |
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: #678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm/src/swtpm/tlv.c
Line 138 in 2579038
Hello, in
tlv_data_find_tag()
there's a check fortd->tlv.length
being slightly out of bounds; what happens if it is large enough that adding it tooffset
causes an integer wraparound?tlv_data_append()
does something similar.Are these tlv functions working on entirely trusted data?
Thanks
The text was updated successfully, but these errors were encountered: