FAPI: Fix check of magic number in verify quote.

After deserializing the quote info it was not checked whether
the magic number in the attest is equal TPM2_GENERATED_VALUE.
So an malicious attacker could generate arbitrary quote data
which was not detected by Fapi_VerifyQuote.
Now the number magic number is checket in verify quote and also
in the deserialization of TPM2_GENERATED.
The check is also added to the Unmarshal function for TPMS_ATTEST.

Fixes: CVE-2024-29040

Signed-off-by: Juergen Repp <[email protected]>
Signed-off-by: Andreas Fuchs <[email protected]>

Author: JuergenReppSIT

src/tss2-fapi/api/Fapi_VerifyQuote.c

@@ -287,6 +287,11 @@ Fapi_VerifyQuote_Finish(
                                      &command->fapi_quote_info);
             goto_if_error(r, "Get quote info.", error_cleanup);
 
+            if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) {
+                goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
+                           "Attest without TPM2 generated value", error_cleanup);
+            }
+
             /* Verify the signature over the attest2b structure. */
             r = ifapi_verify_signature_quote(&key_object,
                                              command->signature,

src/tss2-fapi/tpm_json_deserialize.c

@@ -715,6 +715,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
     const char *s = json_object_get_string(jso);
     const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL);
     LOG_TRACE("called for %s parsing %s", s, str);
+    TSS2_RC r;
 
     if (str) {
         for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) {
@@ -724,8 +725,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
             }
         }
     }
-
-    return ifapi_json_UINT32_deserialize(jso, out);
+    r = ifapi_json_UINT32_deserialize(jso, out);
+    return_if_error(r, "Could not deserialize UINT32");
+    if (*out != TPM2_GENERATED_VALUE) {
+        return_error2(TSS2_FAPI_RC_BAD_VALUE,
+                      "Value %x not equal TPM self generated value %x",
+                      *out, TPM2_GENERATED_VALUE);
+    }
+    return TSS2_RC_SUCCESS;
 }
 
 /** Deserialize a TPM2_ALG_ID json object.

src/tss2-mu/tpms-types.c

@@ -22,6 +22,27 @@
 #define VAL
 #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0]))
 
+static TSS2_RC
+TPM2_GENERATED_Unmarshal(
+    uint8_t const   buffer[],
+    size_t          buffer_size,
+    size_t         *offset,
+    TPM2_GENERATED *magic)
+{
+    TPM2_GENERATED mymagic = 0;
+    TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic);
+    if (rc != TSS2_RC_SUCCESS) {
+        return rc;
+    }
+    if (mymagic != TPM2_GENERATED_VALUE) {
+        LOG_ERROR("Bad magic in tpms_attest");
+        return TSS2_SYS_RC_BAD_VALUE;
+    }
+    if (magic != NULL)
+        *magic = mymagic;
+    return TSS2_RC_SUCCESS;
+}
+
 #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \
 TSS2_RC \
 Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \
@@ -1227,7 +1248,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST,
                  attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal)
 
 TPMS_UNMARSHAL_7_U(TPMS_ATTEST,
-                   magic, Tss2_MU_UINT32_Unmarshal,
+                   magic, TPM2_GENERATED_Unmarshal,
                    type, Tss2_MU_TPM2_ST_Unmarshal,
                    qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal,
                    extraData, Tss2_MU_TPM2B_DATA_Unmarshal,