Use After Free in Context::start_auth_session

Main / Use After Free in Context::start_auth_session

Discription

### Impact

**This issue only applies to applications starting authorization sessions using an explicit initial `nonce`.**

When [`Context::start_auth_session`](https://docs.rs/tss-esapi/7.0.1/tss_esapi/struct.Context.html#method.start_auth_session) was called with a `nonce` argument value of `Some(…)`, the nonce pointer passed down through FFI to `Esys_StartAuthSession` would be a dangling pointer, left over from a defunct instance of `TPM2B_NONCE`. This could lead to an incorrect value being used as a nonce, though whether that value is controllable is unclear (so should be assumed as possible). The error became apparent due to changes in v1.61.0 of the Rust compiler.

Logs indicating a failure due to this issue (with the 1.61.0 version of the Rust toolchain) look as follows:
“`
2022-05-24T01:04:41.9131341Z WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error
2022-05-24T01:04:41.9132192Z ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000001d5)
2022-05-24T01:04:41.9145124Z [2022-05-24T01:04:41Z ERROR tss_esapi::context::tpm_commands::session_commands] Error when creating a session: structure is the wrong size (associated with parameter number 1)
2022-05-24T01:04:41.9153816Z thread ‘main’ panicked at ‘Call to start_auth_session failed: Tss2Error(FormatOne(FormatOneResponseCode { .0: 469, error_number: 21, parameter: true, format_selector: true, number: 1 }))’, tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs:870:14
“`

### Patches
The issue has been patched in versions 6 and 7 of the `tss-esapi` crate. Please update to `7.1.0` or `6.1.2`.

### Workarounds
There is no workaround that achieves the same functionality.

### References
For more information on the cause of the issue and the fix, see [this](https://github.com/parallaxsecond/rust-tss-esapi/pull/344) PR.

For more details about the `TPM2_StartAuthSession` command see section 11.1 of [the TPM spec, part 3](https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part3_Commands_pub.pdf), and section 19.6.3 of [part 1 of the same spec](https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf) for more information regarding session nonces.

### For more information
If you have any questions or comments about this advisory:
* Open an issue or discussion in [our repo](https://github.com/parallaxsecond/rust-tss-esapi)
* Get in touch on [our Slack channel](https://github.com/parallaxsecond/community#community-channel)Read More

References

Back to Main

Subscribe for the latest news: