Google Git
Sign in
fuchsia / third_party / github.com / stefanberger / swtpm / 208a30a0eed03a1378809b648fd032b45589ddfb
commit208a30a0eed03a1378809b648fd032b45589ddfb[log] [tgz]
authorStefan Berger <stefanb@linux.ibm.com>Mon Mar 28 11:23:11 2022 -0400
committerStefan Berger <stefanb@us.ibm.com>Wed Mar 30 15:51:54 2022 -0400
tree81a7102224cfca90a7f7adab664caa61c58acff3
parent2ee76e946c8e335c38c7a1c5c9cdfae5236d6237 [diff]
swtpm: Use uint64_t in tlv_data_append() to avoid integer overflows

Instead of uint32_t use uint64_t's for accumulating needed buffer sizes
that are calculated by adding uint32_t length indicators. Use the uint64_t
to check for excessively large buffer sizes that could cause an integer
overflow if uint32_t was used.

This patch addresses the case where a user passes an old version of TPM
state file to swtpm for reading and the file is 4GB in size and thus can
cause an integer overflow in this particular function.

Otherwise, the previous fix to tlv_data_find_tag() protects swtpm from
integer overflows and later out-of-bound accesses when the TPM state is
initially read from a file (assuming the state file has a header, which
is the case since swtpm 0.1). If an excessively large buffer was passed
to libtpms, it would reject it since it would never be able to take in
that much data.

Data written to the file are coming from libtpms that we can trust in
terms of length indicators.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
1 file changed
tree: 81a7102224cfca90a7f7adab664caa61c58acff3
  1. .github/
  2. debian/
  3. etc/
  4. include/
  5. man/
  6. samples/
  7. src/
  8. tests/
  9. .gitignore
  10. .travis.yml
  11. autogen.sh
  12. CHANGES
  13. configure.ac
  14. COPYING
  15. DCO1.1.txt
  16. INSTALL
  17. LICENSE
  18. Makefile.am
  19. README
  20. run_tests
  21. swtpm.spec
  22. swtpm.spec.in
  23. TODO