Skip to content

Fix fenrir wolfTPM findings (3) #470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgarske merged 3 commits into from
Mar 17, 2026
Merged

Fix fenrir wolfTPM findings (3) #470

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b8c22cc
Fix Fenrir findings #342, #536, #537, #538, #541, #542, #543, #544, #…
aidangarske Mar 16, 2026
4ed5d47
Fix copilot review
aidangarske Mar 16, 2026
230ebc6
only zero sensitive portion of member
aidangarske Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/tpm2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5866,7 +5866,8 @@ int TPM2_GetNonceNoLock(byte* nonceBuf, int nonceSz)
}

TPM2_Packet_ParseU16(&packet, &outSz);
if (outSz > MAX_RNG_REQ_SIZE) {
if (outSz == 0 || outSz > MAX_RNG_REQ_SIZE ||
outSz > (UINT16)(nonceSz - randSz)) {
Comment thread
aidangarske marked this conversation as resolved.
Outdated
#ifdef DEBUG_WOLFTPM
printf("TPM2_GetNonce out size error\n");
#endif
Expand Down
2 changes: 1 addition & 1 deletion src/tpm2_swtpm.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,7 +260,7 @@ static TPM_RC SwTpmDisconnect(TPM2_CTX* ctx)
*/
int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
{
int rc = TPM_RC_FAILURE;
int rc = TPM_RC_SUCCESS;
Comment thread
aidangarske marked this conversation as resolved.
int rspSz = 0;
uint32_t tss_word;

Expand Down
54 changes: 49 additions & 5 deletions src/tpm2_wrap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
runner += sizeof(key->pub.size);
done_reading += sizeof(key->pub.size);

if (key->pub.size > sizeof(pubAreaBuffer) - sizeof(UINT16)) {
#ifdef DEBUG_WOLFTPM
printf("Public key size too large (%d > %d)\n",
key->pub.size, (int)(sizeof(pubAreaBuffer) - sizeof(UINT16)));
#endif
return BUFFER_E;
}

if (bufferSz < done_reading + sizeof(UINT16) + key->pub.size) {
#ifdef DEBUG_WOLFTPM
printf("Buffer size check failed (%d)\n", bufferSz);
Expand Down Expand Up @@ -569,6 +577,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
runner += sizeof(key->priv.size);
done_reading += sizeof(key->priv.size);

if (key->priv.size > sizeof(key->priv.buffer)) {
#ifdef DEBUG_WOLFTPM
printf("Private key size too large (%d > %d)\n",
key->priv.size, (int)sizeof(key->priv.buffer));
#endif
return BUFFER_E;
}

if (bufferSz < done_reading + key->priv.size) {
#ifdef DEBUG_WOLFTPM
printf("Buffer size check failed (%d)\n", bufferSz);
Expand Down Expand Up @@ -1032,7 +1048,7 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
{
const TPM2B_AUTH* auth = NULL;
const TPM2B_NAME* name = NULL;
if (dev == NULL || index >= MAX_SESSION_NUM) {
if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) {
return BAD_FUNC_ARG;
}

Expand Down Expand Up @@ -1064,7 +1080,10 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer,
handle->auth.size);
session->name.size = handle->name.size;
XMEMCPY(session->name.name, handle->name.name, handle->name.size);
if (session->name.size > sizeof(session->name.name)) {
session->name.size = sizeof(session->name.name);
Comment thread
aidangarske marked this conversation as resolved.
Outdated
}
XMEMCPY(session->name.name, handle->name.name, session->name.size);
return TPM_RC_SUCCESS;
}
auth = &handle->auth;
Expand All @@ -1079,7 +1098,7 @@ int wolfTPM2_SetAuthHandleName(WOLFTPM2_DEV* dev, int index,
const TPM2B_NAME* name = NULL;
TPM2_AUTH_SESSION* session;

if (dev == NULL || handle == NULL || index >= MAX_SESSION_NUM) {
if (dev == NULL || handle == NULL || index < 0 || index >= MAX_SESSION_NUM) {
return BAD_FUNC_ARG;
}

Expand Down Expand Up @@ -1136,7 +1155,7 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
{
int rc;

if (dev == NULL || index >= MAX_SESSION_NUM) {
if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) {
return BAD_FUNC_ARG;
}

Expand Down Expand Up @@ -1596,6 +1615,8 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm

wc_FreeRsaKey(&rsaKey);
wc_FreeRng(&rng);
TPM2_ForceZero(&rsaKey, sizeof(rsaKey));
Comment thread
dgarske marked this conversation as resolved.
Outdated
TPM2_ForceZero(&rng, sizeof(rng));

if (rc > 0) {
rc = (rc == secret->size) ? 0 /* success */ : BUFFER_E /* fail */;
Expand Down Expand Up @@ -2939,6 +2960,9 @@ int wolfTPM2_ImportEccPrivateKeySeed(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* pare
if (rc == 0) {
rc = wolfTPM2_ImportPrivateKey(dev, parentKey, keyBlob, &pub, &sens);
}

TPM2_ForceZero(&sens, sizeof(sens));

return rc;
}

Expand Down Expand Up @@ -3684,6 +3708,10 @@ int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
/* not used */
(void)p;

TPM2_ForceZero(d, sizeof(d));
TPM2_ForceZero(p, sizeof(p));
TPM2_ForceZero(q, sizeof(q));
Comment thread
aidangarske marked this conversation as resolved.

return rc;
}

Expand Down Expand Up @@ -3728,6 +3756,10 @@ int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKe

/* not used */
(void)p;

TPM2_ForceZero(d, sizeof(d));
TPM2_ForceZero(p, sizeof(p));
TPM2_ForceZero(q, sizeof(q));
Comment thread
aidangarske marked this conversation as resolved.
}
else {
/* export the raw public RSA portion */
Expand Down Expand Up @@ -3911,6 +3943,8 @@ int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
qx, qxSz, qy, qySz, d, dSz);
}

TPM2_ForceZero(d, sizeof(d));

Comment thread
aidangarske marked this conversation as resolved.
return rc;
}

Expand Down Expand Up @@ -3986,6 +4020,8 @@ int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
rc = wolfTPM2_LoadEccPrivateKey(dev, parentKey, tpmKey, curve_id,
qx, qxSz, qy, qySz, d, dSz);
}

TPM2_ForceZero(d, sizeof(d));
Comment thread
aidangarske marked this conversation as resolved.
}
else {
/* export the raw public ECC portion */
Expand Down Expand Up @@ -5231,6 +5267,10 @@ int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle,
WOLFTPM2_NV nv;
TPMS_NV_PUBLIC nvPublic;

if (len == NULL) {
return BAD_FUNC_ARG;
}

XMEMSET(&nvPublic, 0, sizeof(nvPublic));
XMEMSET(&nv, 0, sizeof(nv));

Expand Down Expand Up @@ -5530,7 +5570,7 @@ int wolfTPM2_GetRandom(WOLFTPM2_DEV* dev, byte* buf, word32 len)
}

sz = out.randomBytes.size; /* use actual returned size */
if (sz > MAX_RNG_REQ_SIZE) {
if (sz == 0 || sz > MAX_RNG_REQ_SIZE || sz > (len - pos)) {
#ifdef DEBUG_WOLFTPM
printf("wolfTPM2_GetRandom out size error\n");
#endif
Expand Down Expand Up @@ -5857,6 +5897,8 @@ int wolfTPM2_LoadSymmetricKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int alg,

exit:

TPM2_ForceZero(&loadExtIn, sizeof(loadExtIn));
Comment thread
dgarske marked this conversation as resolved.
Outdated

if (rc != TPM_RC_SUCCESS) {
#ifdef DEBUG_WOLFTPM
printf("TPM2_LoadExternal: failed %d: %s\n",
Expand Down Expand Up @@ -6097,6 +6139,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
(word32)key->handle.hndl);
#endif

TPM2_ForceZero(&createIn, sizeof(createIn));
Comment thread
dgarske marked this conversation as resolved.
Outdated

return rc;
}

Expand Down
Loading