A bug was discovered in the libtpms code that may cause access to a buffer beyond the boundary of the buffer or cause failures when trying to resume the state of the vTPM. The vulnerability can be triggered by specially-crafted TPM 2 command packets containing unacceptable/illegal values and those values become an issue when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. In the former case this can lead to a buffer access beyond its boundary and in the latter case to refusal to accept the state blob due to an illegal value. To the best of our knowledge, the buffer access beyond its boundaries case does NOT lead to code execution, and as such, any exploitation is likely limited to information leakage and / or denial-of-service (DoS), i.e. a crash. Further, an attacker must have (indirect or direct) access to call TPMLIB_VolatileAll_Store to exploit this flaw. Upstream PR: https://github.com/stefanberger/libtpms/pull/223 Upstream fix: https://github.com/stefanberger/libtpms/commit/2f30d62 https://github.com/stefanberger/libtpms/commit/7981d9a https://github.com/stefanberger/libtpms/commit/2e6173c
Created libtpms tracking bugs for this issue: Affects: fedora-all [bug 1976811]
This bug has been fixed a while ago. I think this bugzilla can be closed.