{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":95808220,"defaultBranch":"main","name":"ms-tpm-20-ref","ownerLogin":"microsoft","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2017-06-29T18:36:47.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/6154722?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1709917839.0","currentOid":""},"activityList":{"items":[{"before":"c3c41c0e007186a274c2edaf5fee7afabb92a900","after":"e9fc7b89d865536c46deb63f9c7d0121a3ded49c","ref":"refs/heads/main","pushedAt":"2023-10-17T15:22:59.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"bradlitterell","name":"Brad Litterell","path":"/bradlitterell","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49081806?s=80&v=4"},"commit":{"message":"Fix conflicting types for `ReadVarBytes`. (#102)\n\nUpdates Simulator_fp.h to match TcpServer.c declaration.","shortMessageHtmlLink":"Fix conflicting types for <code>ReadVarBytes</code>. (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1940013547\" data-permission-text=\"Title is private\" data-url=\"https://github.com/microsoft/ms-tpm-20-ref/issues/102\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/microsoft/ms-tpm-20-ref/pull/102/hovercard\" href=\"https://github.com/microsoft/ms-tpm-20-ref/pull/102\">#102</a>)"}},{"before":"f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6","after":"c3c41c0e007186a274c2edaf5fee7afabb92a900","ref":"refs/heads/main","pushedAt":"2023-09-18T16:53:53.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"bradlitterell","name":"Brad Litterell","path":"/bradlitterell","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49081806?s=80&v=4"},"commit":{"message":"fix integer overflow in ReadVarBytes (#100)\n\n* fix integer overflow in ReadVarBytes by changing to uint32_t as originally intended.","shortMessageHtmlLink":"fix integer overflow in ReadVarBytes (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1895968077\" data-permission-text=\"Title is private\" data-url=\"https://github.com/microsoft/ms-tpm-20-ref/issues/100\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/microsoft/ms-tpm-20-ref/pull/100/hovercard\" href=\"https://github.com/microsoft/ms-tpm-20-ref/pull/100\">#100</a>)"}},{"before":"6b72d6690d830ed282c8b8a32e12a638fd0dc19a","after":"f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6","ref":"refs/heads/main","pushedAt":"2023-03-16T05:42:55.036Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"bradlitterell","name":"Brad Litterell","path":"/bradlitterell","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49081806?s=80&v=4"},"commit":{"message":"Properly handle requests larger than INT32_MAX (#91)\n\nExecuteCommand() is passed the request length as an unsigned 32-bit\r\ninteger, but then immediately assigns it to command.parameterSize, which\r\nis a signed 32-bit integer.  Therefore, if requestSize is greater than\r\nINT32_MAX, command.parameterSize will become negative.\r\n\r\nTPMI_ST_COMMAND_TAG_Unmarshal will subtract 2 from command.parameterSize\r\nand fail if the result is negative.  If command.parameterSize is between\r\nINT32_MIN+2 and 1 (inclusive), subtracting 2 from it will result in a\r\nnegative value, causing TPMI_ST_COMMAND_TAG_Unmarshal to fail and the\r\nTPM to (correctly) reject the request.  However, if requestSize is\r\nINT32_MAX+1 or INT32_MAX+2, command.parameterSize will be INT32_MIN or\r\nINT32_MIN+1 respectively.  Subtracting 2 will then result in an integer\r\noverflow, which is undefined behavior.  If the overflow wraps (either by\r\nchance or because of compiler options such as -fwrapv), the resulting\r\nlength will be INT32_MAX-1 or INT32_MAX respectively.  These are\r\ncorrect, so the command will be processed correctly, almost certainly\r\nbeing rejected by the MAX_COMMAND_SIZE check.\r\n\r\nFurthermore, I do not believe any real TPM will accept requests this\r\nlarge.  swtpm limits requests to 4096 bytes, and hardware TPMs are\r\nunlikely to have INT32_MAX bytes of RAM.  Therefore, the overflow is\r\nlikely impossible to trigger.  Even if it does get triggered, it is\r\nprobably harmless in practice.  Therefore, I do not consider this to be\r\na security vulnerability.\r\n\r\nFix this problem by clamping requestSize to MAX_COMMAND_SIZE+1.  Add a\r\npreprocessor conditional to check that MAX_COMMAND_SIZE+1 will be\r\nhandled correctly by both TpmFailureMode and the unmarshaling code.\r\nThis is not the most elegant fix, but it is correct and requires no\r\nchanges to the rest of the TPM.","shortMessageHtmlLink":"Properly handle requests larger than INT32_MAX (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1626689392\" data-permission-text=\"Title is private\" data-url=\"https://github.com/microsoft/ms-tpm-20-ref/issues/91\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/microsoft/ms-tpm-20-ref/pull/91/hovercard\" href=\"https://github.com/microsoft/ms-tpm-20-ref/pull/91\">#91</a>)"}},{"before":"9bdd9f0aaba5e54b3c314cfff02cf532281a067e","after":"6b72d6690d830ed282c8b8a32e12a638fd0dc19a","ref":"refs/heads/main","pushedAt":"2023-03-15T19:10:29.794Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"bradlitterell","name":"Brad Litterell","path":"/bradlitterell","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49081806?s=80&v=4"},"commit":{"message":"Formatting fixes (#89)\n\nFix a -Werror=comment failure and avoid problems with git due to CRLF.\r\nAdds parentheses around macro parameters and wrap statement-like macros\r\nin a do-while loop to avoid dangling else problems.  Fix the REQUIRE\r\nmacro so that expands to code that successfully compiles.  Remove the\r\nVERIFY macro from TpmASN1.h, as VERIFY is already defined by GpMacros.h\r\nFinally, fix two typos in comments and reformat all code with\r\nclang-format, then work around two bugs in clang-format.","shortMessageHtmlLink":"Formatting fixes (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1623654260\" data-permission-text=\"Title is private\" data-url=\"https://github.com/microsoft/ms-tpm-20-ref/issues/89\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/microsoft/ms-tpm-20-ref/pull/89/hovercard\" href=\"https://github.com/microsoft/ms-tpm-20-ref/pull/89\">#89</a>)"}},{"before":"482aaafc0523bb94de203c4975f72f0230becec4","after":"9bdd9f0aaba5e54b3c314cfff02cf532281a067e","ref":"refs/heads/main","pushedAt":"2023-03-08T22:31:00.888Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"bradlitterell","name":"Brad Litterell","path":"/bradlitterell","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49081806?s=80&v=4"},"commit":{"message":"Fix CryptParameterEncryption and CryptParameterDecryption\n\nResolves TPM v1.59 Errata 4.","shortMessageHtmlLink":"Fix CryptParameterEncryption and CryptParameterDecryption"}},{"before":"5c7941b246c2d38d75c3d91d36e1b792374019f1","after":"482aaafc0523bb94de203c4975f72f0230becec4","ref":"refs/heads/main","pushedAt":"2023-03-07T22:34:24.932Z","pushType":"pr_merge","commitsCount":5,"pusher":{"login":"bradlitterell","name":"Brad Litterell","path":"/bradlitterell","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/49081806?s=80&v=4"},"commit":{"message":"Normalize Format - Part 3 - Apply .clang-format","shortMessageHtmlLink":"Normalize Format - Part 3 - Apply .clang-format"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAADmSHqBAA","startCursor":null,"endCursor":null}},"title":"Activity · microsoft/ms-tpm-20-ref"}