Skip to content

Commit

Permalink
attest: add bounds checks for slice indexes
Browse files Browse the repository at this point in the history
Found manually looking through the code. The activate credential could
crash the client, while the secureboot may be able to crash the server.
  • Loading branch information
ericchiang committed Dec 30, 2020
1 parent 0ee6160 commit 2ea07f9
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
2 changes: 1 addition & 1 deletion attest/secureboot.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ func ParseSecurebootState(events []Event) (*SecurebootState, error) {
// https://github.com/rhboot/shim/commit/8a27a4809a6a2b40fb6a4049071bf96d6ad71b50
// have an erroneous additional byte in the event, which breaks digest
// verification. If verification failed, we try removing the last byte.
if digestVerify != nil {
if digestVerify != nil && len(e.Data) > 0 {
digestVerify = e.digestEquals(e.Data[:len(e.Data)-1])
}
} else {
Expand Down
11 changes: 10 additions & 1 deletion attest/wrapped_tpm20.go
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,15 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([
return nil, fmt.Errorf("expected *wrappedTPM20, got %T", tb)
}

if len(in.Credential) < 2 {
return nil, fmt.Errorf("malformed credential blob")
}
credential := in.Credential[2:]
if len(in.Secret) < 2 {
return nil, fmt.Errorf("malformed encrypted secret")
}
secret := in.Secret[2:]

ekHnd, _, err := t.getPrimaryKeyHandle(commonEkEquivalentHandle)
if err != nil {
return nil, err
Expand All @@ -272,7 +281,7 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([
return tpm2.ActivateCredentialUsingAuth(t.rwc, []tpm2.AuthCommand{
{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession},
{Session: sessHandle, Attributes: tpm2.AttrContinueSession},
}, k.hnd, ekHnd, in.Credential[2:], in.Secret[2:])
}, k.hnd, ekHnd, credential, secret)
}

func (k *wrappedKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
Expand Down

0 comments on commit 2ea07f9

Please sign in to comment.