Skip to content

Commit

Permalink
attest: add bounds checks for slice indexes
Browse files Browse the repository at this point in the history
Found manually looking through the code. The activate credential could
crash the client, the secureboot and challenge generation could crash
the server.
  • Loading branch information
ericchiang committed Dec 30, 2020
1 parent 0ee6160 commit 825440e
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
6 changes: 6 additions & 0 deletions attest/activation.go
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,12 @@ func (p *ActivationParameters) generateChallengeTPM20(secret []byte) (*Encrypted
if err != nil {
return nil, fmt.Errorf("DecodeAttestationData() failed: %v", err)
}
if att.AttestedCreationInfo == nil {
return nil, fmt.Errorf("attestation was not for a creation event")
}
if att.AttestedCreationInfo.Name.Digest == nil {
return nil, fmt.Errorf("attesation creation info name has no digest")
}
cred, encSecret, err := credactivation.Generate(att.AttestedCreationInfo.Name.Digest, p.EK, symBlockSize, secret)
if err != nil {
return nil, fmt.Errorf("credactivation.Generate() failed: %v", err)
Expand Down
2 changes: 1 addition & 1 deletion attest/secureboot.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ func ParseSecurebootState(events []Event) (*SecurebootState, error) {
// https://github.com/rhboot/shim/commit/8a27a4809a6a2b40fb6a4049071bf96d6ad71b50
// have an erroneous additional byte in the event, which breaks digest
// verification. If verification failed, we try removing the last byte.
if digestVerify != nil {
if digestVerify != nil && len(e.Data) > 0 {
digestVerify = e.digestEquals(e.Data[:len(e.Data)-1])
}
} else {
Expand Down
11 changes: 10 additions & 1 deletion attest/wrapped_tpm20.go
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,15 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([
return nil, fmt.Errorf("expected *wrappedTPM20, got %T", tb)
}

if len(in.Credential) < 2 {
return nil, fmt.Errorf("malformed credential blob")
}
credential := in.Credential[2:]
if len(in.Secret) < 2 {
return nil, fmt.Errorf("malformed encrypted secret")
}
secret := in.Secret[2:]

ekHnd, _, err := t.getPrimaryKeyHandle(commonEkEquivalentHandle)
if err != nil {
return nil, err
Expand All @@ -272,7 +281,7 @@ func (k *wrappedKey20) activateCredential(tb tpmBase, in EncryptedCredential) ([
return tpm2.ActivateCredentialUsingAuth(t.rwc, []tpm2.AuthCommand{
{Session: tpm2.HandlePasswordSession, Attributes: tpm2.AttrContinueSession},
{Session: sessHandle, Attributes: tpm2.AttrContinueSession},
}, k.hnd, ekHnd, in.Credential[2:], in.Secret[2:])
}, k.hnd, ekHnd, credential, secret)
}

func (k *wrappedKey20) quote(tb tpmBase, nonce []byte, alg HashAlg) (*Quote, error) {
Expand Down

0 comments on commit 825440e

Please sign in to comment.