Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ComputeAuthTimeout expiry overflow reproducer #261

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

alexmwu
Copy link
Contributor

@alexmwu alexmwu commented Aug 20, 2021

(Split off from #237 to allow merging the new functionality in)

The Microsoft TPM2 and IBM SW TPM simulator both use an absolute
value method of expiration = -expiration in ComputeAuthTimeout.

As abs(min Int32) cannot be represented an an int32, this expression evaluates to min Int32.

See https://github.com/microsoft/ms-tpm-20-ref/blob/b94f9f92c579b723a16be72a69efbbf9c35ce44e/TPMCmd/tpm/src/command/EA/Policy_spt.c#L189

The function goes on to cast expiration to UINT64. This can either
be sign-extended or zero-extended, which is undefined behavior.

alexmwu added 4 commits April 15, 2021 10:58
Some functions in tpm2 expect an encoded TPMT_SIGNATURE.
Here, we add an Encode method on the Signature type
to support these functions.
Add the ability to call TPM2_PolicySigned, and add PolicySigned
test to verify correct behavior given different expiration values.
The Microsoft TPM2 and IBM SW TPM simulator both use an absolute
value method of `expiration = -expiration` in ComputeAuthTimeout.

As abs(Int32Min) cannot be represented
an an int32, this expression evaluates to Int32Min.

See https://github.com/microsoft/ms-tpm-20-ref/blob/b94f9f92c579b723a16be72a69efbbf9c35ce44e/TPMCmd/tpm/src/command/EA/Policy_spt.c#L189

The function goes on to cast expiration to UINT64. This can either
be sign-extended or zero-extended, which is undefined behavior.
If it is sign-extended, this carries the negative bit to create a
large number (9.22 e+18 ms ~ 292471140.58 years).
If it is zero-extended, this results in 2147483648000 ms ~ 68.1 years.

Also, enable non-zero expirations on TestPolicySecret
The TPM2.0 spec, Revision 1.16, states that TPM2_PolicySecret
doesn't return a timeout/ticket for a nonzero expiration
without a nonce.
Separate revisions of the TPM spec treat
expirations and nonces differently.
Revision 1.16 requires a nonce with non-zero
expiration while 1.59 does not. For the
ComputeAuthTimeout test, we need empty
nonces and expiration == min int32
to test properly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant