tpm2_checkquote: Fix check of magic number.

It was not checked whether the magic number in the attest is equal to TPM2_GENERATED_VALUE. So an malicious attacker could generate arbitrary quote data which was not detected by tpm2 checkquote. Fixes: CVE-2024-29038 Signed-off-by: Juergen Repp <juergen_repp@web.de>
tpm2-software · Apr 26, 2024 · 0b754c6 · 0b754c6
1 parent 2d07610
commit 0b754c6
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
@@ -159,6 +159,13 @@ static bool verify(void) {
         goto err;
     }
 
+    // check magic
+    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+                ctx.attest.magic, TPM2_GENERATED_VALUE);
+        return false;
+    }
+
     // Also ensure digest from quote matches PCR digest
     if (ctx.flags.pcr) {
         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,