[AUTO-CHERRYPICK] Patch tpm2-tools for CVE-2024-29038 & CVE-2024-29039. - branch main (#9825)

Co-authored-by: Sumynwa <sumsharma@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/tpm2-tools/CVE-2021-3565.patch

@@ -0,0 +1,35 @@
+From 66d922d6547b7b4fe4f274fb2ec10b376e0e259c Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Tue, 31 Oct 2023 11:29:50 +0100
+Subject: [PATCH] tpm2_checkquote: Fix check of magic number.
+
+It was not checked whether the magic number in the
+attest is equal to TPM2_GENERATED_VALUE.
+So an malicious attacker could generate arbitrary quote data
+which was not detected by tpm2 checkquote.
+
+Fixes: CVE-2024-29038
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ tools/misc/tpm2_checkquote.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index d682f48..5831da8 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -124,6 +124,13 @@ static bool verify_signature() {
+         goto err;
+     }
+ 
++    // check magic
++    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
++        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
++                ctx.attest.magic, TPM2_GENERATED_VALUE);
++        return false;
++    }
++
+     // Also ensure digest from quote matches PCR digest
+     if (ctx.flags.pcr) {
+         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,

SPECS/tpm2-tools/CVE-2024-29038.patch

@@ -0,0 +1,84 @@
+From 98599df9392a346216c5a059b8d35271286100bb Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Tue, 5 Mar 2024 22:11:38 +0100
+Subject: [PATCH] tpm2_checkquote: Add comparison of pcr selection.
+
+The pcr selection which is passed with the --pcr parameter it not
+compared with the attest. So it's possible to fake a valid
+attestation.
+
+Fixes: CVE-2024-29039
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index 9225b25..d682f48 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -48,6 +48,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
++    if (attest_sel->count != pcr_sel->count) {
++        LOG_ERR("Selection sizes do not match.");
++        return false;
++    }
++    for (uint32_t i = 0; i < attest_sel->count; i++) {
++        for (uint32_t j = 0; j < pcr_sel->count; j++) {
++            if (attest_sel->pcrSelections[i].hash ==
++                pcr_sel->pcrSelections[j].hash) {
++                if (attest_sel->pcrSelections[i].sizeofSelect !=
++                        pcr_sel->pcrSelections[j].sizeofSelect) {
++                    LOG_ERR("Bitmask size does not match");
++                    return false;
++                }
++                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
++                           &pcr_sel->pcrSelections[j].pcrSelect[0],
++                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
++                    LOG_ERR("Selection bitmasks do not match");
++                    return false;
++                }
++                break;
++            }
++            if (j == pcr_sel->count - 1) {
++                LOG_ERR("Hash selections to not match.");
++                return false;
++            }
++        }
++    }
++    return true;
++}
++
+ static bool verify_signature() {
+ 
+     bool result = false;
+@@ -212,7 +243,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
++    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs * pcrs;
+     tool_rc return_value = tool_rc_general_error;
+ 
+@@ -279,6 +310,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
++    if (ctx.flags.pcr) {
++        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
++                                   &pcr_select)) {
++            LOG_ERR("PCR selection does not match PCR slection from attest!");
++            goto err;
++        }
++    }
++
+     // Figure out the digest for this message
+     bool res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);

SPECS/tpm2-tools/CVE-2024-29039.patch

@@ -1,13 +1,15 @@
 Summary:        The source repository for the TPM (Trusted Platform Module) 2 tools
 Name:           tpm2-tools
 Version:        4.3.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Security
 URL:            https://github.com/tpm2-software/tpm2-tools
 Source0:        https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-29039.patch
+Patch1:         CVE-2024-29038.patch
 BuildRequires:  curl-devel
 BuildRequires:  openssl-devel
 BuildRequires:  tpm2-tss-devel >= 2.3.0
@@ -40,6 +42,9 @@ make DESTDIR=%{buildroot} install
 %{_datarootdir}/bash-completion/completions/tss2_*
 
 %changelog
+* Thu Jul 11 2024 Sumedh Sharma <sumsharma@microsoft.com> - 4.3.2-2
+- Add patch for CVE-2024-29039 & CVE-2024-29038
+
 * Tue Jan 18 2022 Daniel McIlvaney <damcilva@microsoft.com> - 4.3.2-1
 - Update to 4.3.2.
 - Verified license