Conversion from tss-esapi native buffer type into the corresponding tss-esapi-sys TSS type can panic

[clauverjat]

Hello,

I identified native buffer types whose MAX_SIZE is larger than the buffer size of corresponding TSS types (TPM2B). This is an issue because the infallible conversion From<$native_type> for $tss_type is implemented. When the native buffer is too big, the conversion method panics.

Affected buffer types are :

• IdObject / TPM2B_ID_OBJECT
• SensitiveData / TPM2B_SENSITIVE_DATA

Example of code that triggers the issue :

#!/usr/bin/env cargo-eval

//! ```cargo
//! [dependencies]
//! tss-esapi = { version = "7.5.1" }
//! ```

use tss_esapi::structures::IdObject;
use tss_esapi::tss2_esys::TPM2B_ID_OBJECT;
use std::hint::black_box;

fn main() {
    // IdObject::MAX_SIZE: usize = 256usize
    let id_object = IdObject::try_from(vec![0u8; IdObject::MAX_SIZE]).expect("this works");
    //
    // #[repr(C)]
    // pub struct TPM2B_ID_OBJECT {
    //     pub size: UINT16,
    //     pub credential: [BYTE; 132],
    // }
    //
    // The following conversion causes 
    // thread 'main' panicked at /home/vscode/.cargo/registry/src/i.8713187.xyz-1ecc6299db9ec823/tss-esapi-7.5.1/src/structures/buffers.rs:185:5:
    // range end index 256 out of range for slice of length 132
    let buffer_id_object: TPM2B_ID_OBJECT = id_object.into();
    black_box(buffer_id_object);
}

Security concerns

An unexpected panic can cause a program to abort unexpectedly, potentially leading to a denial of service (DoS) vulnerability. However in this context, it is unlikely that the affected buffers are untrusted, so I don't think there is much of a security concern.

[Superhepper]

Thank you for reporting this! I will have a look at it as soon as I can.

[Superhepper]

You are absolutely right.

• From Trusted Platform Module Librarym Part2: Structures, Family 2.0, Level 00 Revision 1.59*

union TPMU_HA
{
BYTE sha[20]
BYTE sha1[20]
BYTE sha256[32]
BYTE sha384[48]
BYTE sha512[64]
BYTE sm3_256[32usize]
}

struct TPM2B_DIGEST
{
UINT16 size // 2
BYTE buffer[sizeof(TPMU_HA)] // sizeof(TPMU_HA) // 64
}

struct TPMS_ID_OBJECT
{
TPM2B_DIGEST integrityHMAC // sizeof(TPM2B_DIGEST) // 66
TPM2B_DIGEST encIdentity // sizeof(TPM2B_DIGEST) // 66
}

struct TPM2B_ID_OBJECT
{
U16 SIZE, // 2
BYTE buffer [sizeof(TPMS_ID_OBJECT] // 132
}

I will start working on this as soon as I get the chance.