awful TPM fix

Posted Jan 28, 2026 10:24 UTC (Wed) by johill (subscriber, #25196)
Parent article: A critical GnuPG security update

Some of this might be baked into the TPM APIs, but e.g. the TPM fix still seems awful to me.

No mention of sizeof(), even if it seems that something like

 if (len > sizeof(VAL_2B (inPoint.point.x, buffer))
    return GPG_ERR_TOO_LARGE;

should be sufficient to avoid the memcpy() overflow, and the TPM must be doing input validation as well, so shouldn't that be sufficient? For the Intel stack I checked and point.x.buffer is that size (TPM2_MAX_ECC_KEY_BYTES).

Also, it seems that even simple static checkers could have found this, so don't they use those, or at least not with TPM enabled?

to post comments

awful TPM fix

Posted Jan 28, 2026 11:02 UTC (Wed) by dd9jn (✭ supporter ✭, #4459) [Link] (2 responses)

> the TPM fix still seems awful to me.

I agree but it is the best solution we could do with less risk of a regression. The whole TPM API is a total mess and worse, there are actually two implementations (IBM and Intel) we need to support. Fortunately, exploiting the bug needs access to the local socket and if you have this access it is anyway game-over.

I also wonder why the static analyzers didn't find that bug or at least the even more obvious one from 1999 in armor.c (T7906) which has actually seen several Coverity runs.

Why are TPMs so hard?

Posted Jan 31, 2026 3:13 UTC (Sat) by DemiMarie (subscriber, #164188) [Link] (1 responses)

What makes TPMs so hard to use? Is it that the underlying hardware is complex of necessity?

Why are TPMs so hard?

Posted Feb 2, 2026 14:00 UTC (Mon) by johill (subscriber, #25196) [Link]

It looks to me more like the libraries are a mess, you have to use two different ones, and they don't have the same APIs even though the API was kind of meant to be speced?

But the argument is a bit besides the point - I gave two lines that I'm pretty sure (only checked one of the two cases for exact bytes count) do an equivalent check without an ifdef maze...