Impact
Following a successful CAPABILITIES response a libspdm Requester stores the Responder's CTExponent
into its context without validation. If the Requester sends a request message that requires
a cryptography operation by the Responder, such as CHALLENGE, libspdm will calculate the timeout value
using the Responder's unvalidated CTExponent.
((uint64_t)2 << context->connection_info.capability.ct_exponent)
If the value of CTExponent is greater than or equal to 64 then C language undefined behavior is invoked.
Note that libspdm provides a method to query the value of the CTExponent after VCA.
For X86 (ia32, x64) CPU, MSVC or GCC compiler generates SHL or SHLD instruction. SHL will cause
discarding, if bits shifted beyond the destination boundary. SHLD will will use 5 bits (32) or
6 bits (64) for the shifting. No security impact.
For ARM (arm, aarch64) CPU, GCC compiler generates LSL instruction, which will use 5 bits (32) or
6 bits (64) for the shifting. No security impact.
For RISC-V (32 or 64) CPU, GCC compiler generates SLL instruction, which will use 5 bits (32) or
6 bits (64) for the shifting. No security impact.
For other CPUs, the impact is unknown.
Patches
libspdm main:
libspdm 2.3:
Because libspdm 1.0, 2.0, 2.1, and 2.2 have known defects, they are not maintained.
libspdm 2.3 branch users should upgrade to release 2.3.3.
Workarounds
After completion of VCA the Requester can check the value of the Responder's CTExponent. If it greater than
or equal to 64 then the Requester can stop communication with the Responder. Note that the Requester would probably
want to do that anyways, since if CTExponent is greater than equal to 64 then the Responder is asserting that it may take many eons to complete a cryptography operation.
References
libspdm issue : #2068
Acknowledgement
This issue was discovered by the NVIDIA Offensive Security Research team.
Impact
Following a successful CAPABILITIES response a libspdm Requester stores the Responder's CTExponent
into its context without validation. If the Requester sends a request message that requires
a cryptography operation by the Responder, such as CHALLENGE, libspdm will calculate the timeout value
using the Responder's unvalidated CTExponent.
If the value of CTExponent is greater than or equal to 64 then C language undefined behavior is invoked.
Note that libspdm provides a method to query the value of the CTExponent after VCA.
For X86 (ia32, x64) CPU, MSVC or GCC compiler generates SHL or SHLD instruction. SHL will cause
discarding, if bits shifted beyond the destination boundary. SHLD will will use 5 bits (32) or
6 bits (64) for the shifting. No security impact.
For ARM (arm, aarch64) CPU, GCC compiler generates LSL instruction, which will use 5 bits (32) or
6 bits (64) for the shifting. No security impact.
For RISC-V (32 or 64) CPU, GCC compiler generates SLL instruction, which will use 5 bits (32) or
6 bits (64) for the shifting. No security impact.
For other CPUs, the impact is unknown.
Patches
libspdm main:
libspdm 2.3:
Because libspdm 1.0, 2.0, 2.1, and 2.2 have known defects, they are not maintained.
libspdm 2.3 branch users should upgrade to release 2.3.3.
Workarounds
After completion of VCA the Requester can check the value of the Responder's CTExponent. If it greater than
or equal to 64 then the Requester can stop communication with the Responder. Note that the Requester would probably
want to do that anyways, since if CTExponent is greater than equal to 64 then the Responder is asserting that it may take many eons to complete a cryptography operation.
References
libspdm issue : #2068
Acknowledgement
This issue was discovered by the NVIDIA Offensive Security Research team.