Skip to content

Commit

Permalink
tpm2_checkquote: Fix check of magic number.
Browse files Browse the repository at this point in the history
It was not checked whether the magic number in the
attest is equal to TPM2_GENERATED_VALUE.
So an malicious attacker could generate arbitrary quote data
which was not detected by tpm2 checkquote.

Fixes: CVE-2024-29038

Signed-off-by: Juergen Repp <[email protected]>
  • Loading branch information
JuergenReppSIT authored and AndreasFuchsTPM committed Apr 26, 2024
1 parent 3f4d8ab commit 49b5f95
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions tools/misc/tpm2_checkquote.c
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,13 @@ static bool verify(void) {
goto err;
}

// check magic
if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
ctx.attest.magic, TPM2_GENERATED_VALUE);
return false;
}

// Also ensure digest from quote matches PCR digest
if (ctx.flags.pcr) {
if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
Expand Down

0 comments on commit 49b5f95

Please sign in to comment.