Report
Reported by fergus-dall: https://github.com/fergus-dall
Tss2_RC_SetHandler and Tss2_RC_Decode both index into layer_handler with an 8 bit layer number, but the array only has TPM2_ERROR_TSS2_RC_LAYER_COUNT entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. For example, on my system this program segfaults:
#include <stdio.h>
#include "tss2/tss2_rc.h"
int main() {
printf("%s\n", Tss2_RC_Decode(0xffffffff));
}
Impact
Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC.
Patches
in progress.
Workarounds
No
References
No
Report
Reported by fergus-dall: https://github.com/fergus-dall
Tss2_RC_SetHandlerandTss2_RC_Decodeboth index intolayer_handlerwith an 8 bit layer number, but the array only hasTPM2_ERROR_TSS2_RC_LAYER_COUNTentries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. For example, on my system this program segfaults:Impact
Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC.
Patches
in progress.
Workarounds
No
References
No