Fix invalid slice access in validateAk (#437)

This commit is contained in:
Otto Bittner 2022-11-03 09:57:59 +01:00 committed by GitHub
parent 1f9a788c21
commit 0887bc540f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -275,6 +275,9 @@ func (a *azureInstanceInfo) validateAk(runtimeDataRaw []byte, reportData []byte,
} }
sum := sha256.Sum256(runtimeDataRaw) sum := sha256.Sum256(runtimeDataRaw)
if len(reportData) < len(sum) {
return fmt.Errorf("reportData has unexpected size: %d", len(reportData))
}
if !bytes.Equal(sum[:], reportData[:len(sum)]) { if !bytes.Equal(sum[:], reportData[:len(sum)]) {
return errors.New("unexpected runtimeData digest in TPM") return errors.New("unexpected runtimeData digest in TPM")
} }
@ -284,7 +287,7 @@ func (a *azureInstanceInfo) validateAk(runtimeDataRaw []byte, reportData []byte,
} }
rawN, err := base64.RawURLEncoding.DecodeString(runtimeData.Keys[0].N) rawN, err := base64.RawURLEncoding.DecodeString(runtimeData.Keys[0].N)
if err != nil { if err != nil {
return err return fmt.Errorf("decoding modulus string: %w", err)
} }
if !bytes.Equal(rawN, rsaParameters.ModulusRaw) { if !bytes.Equal(rawN, rsaParameters.ModulusRaw) {
return fmt.Errorf("unexpected modulus value in TPM") return fmt.Errorf("unexpected modulus value in TPM")
@ -292,7 +295,7 @@ func (a *azureInstanceInfo) validateAk(runtimeDataRaw []byte, reportData []byte,
rawE, err := base64.RawURLEncoding.DecodeString(runtimeData.Keys[0].E) rawE, err := base64.RawURLEncoding.DecodeString(runtimeData.Keys[0].E)
if err != nil { if err != nil {
return err return fmt.Errorf("decoding exponent string: %w", err)
} }
paddedRawE := make([]byte, 4) paddedRawE := make([]byte, 4)
copy(paddedRawE, rawE) copy(paddedRawE, rawE)