tpm2-software · AndreasFuchsTPM · Apr 26, 2024 · Oct 31, 2023 · Apr 26, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,13 +3,13 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 
-## [4.1.0-rc1] - 2024-04-24
+## [4.1.0] - 2024-04-26
+### Security
+- Fixed CVE-2024-29040
+
 ### Fixed
 - fapi: Fix length check on FAPI auth callbacks
 - mu: Correct error message for errors
-
-## [4.1.0_rc0] - 2024-03-26
-### Fixed
 - tss2-rc: fix unknown laer handler dropping bits.
 - fapi: Fix deviation from CEL specification (template_value was used instead of template_data).
 - fapi: Fix json syntax error in FAPI profiles which was ignored by json-c.

diff --git a/src/tss2-fapi/api/Fapi_VerifyQuote.c b/src/tss2-fapi/api/Fapi_VerifyQuote.c
@@ -289,6 +289,11 @@ Fapi_VerifyQuote_Finish(
                                      &command->fapi_quote_info);
             goto_if_error(r, "Get quote info.", error_cleanup);
 
+            if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) {
+                goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
+                           "Attest without TPM2 generated value", error_cleanup);
+            }
+
             /* Verify the signature over the attest2b structure. */
             r = ifapi_verify_signature_quote(&key_object,
                                              command->signature,

diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c
@@ -698,6 +698,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
     const char *s = json_object_get_string(jso);
     const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL);
     LOG_TRACE("called for %s parsing %s", s, str);
+    TSS2_RC r;
 
     if (str) {
         for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) {
@@ -707,8 +708,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
             }
         }
     }
-
-    return ifapi_json_UINT32_deserialize(jso, out);
+    r = ifapi_json_UINT32_deserialize(jso, out);
+    return_if_error(r, "Could not deserialize UINT32");
+    if (*out != TPM2_GENERATED_VALUE) {
+        return_error2(TSS2_FAPI_RC_BAD_VALUE,
+                      "Value %x not equal TPM self generated value %x",
+                      *out, TPM2_GENERATED_VALUE);
+    }
+    return TSS2_RC_SUCCESS;
 }
 
 /** Deserialize a TPM2_ALG_ID json object.

diff --git a/src/tss2-mu/tpms-types.c b/src/tss2-mu/tpms-types.c
@@ -22,6 +22,27 @@
 #define VAL
 #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0]))
 
+static TSS2_RC
+TPM2_GENERATED_Unmarshal(
+    uint8_t const   buffer[],
+    size_t          buffer_size,
+    size_t         *offset,
+    TPM2_GENERATED *magic)
+{
+    TPM2_GENERATED mymagic = 0;
+    TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic);
+    if (rc != TSS2_RC_SUCCESS) {
+        return rc;
+    }
+    if (mymagic != TPM2_GENERATED_VALUE) {
+        LOG_ERROR("Bad magic in tpms_attest");
+        return TSS2_SYS_RC_BAD_VALUE;
+    }
+    if (magic != NULL)
+        *magic = mymagic;
+    return TSS2_RC_SUCCESS;
+}
+
 #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \
 TSS2_RC \
 Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \
@@ -1219,7 +1240,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST,
                  attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal)
 
 TPMS_UNMARSHAL_7_U(TPMS_ATTEST,
-                   magic, Tss2_MU_UINT32_Unmarshal,
+                   magic, TPM2_GENERATED_Unmarshal,
                    type, Tss2_MU_TPM2_ST_Unmarshal,
                    qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal,
                    extraData, Tss2_MU_TPM2B_DATA_Unmarshal,