m/p/tpm: fix panic when unsealing corrupted data If the Protobuf payload for the unseal operation is parseable but does not contain a sealed_key member, the code panics trying to access it. This adds an explicit check and returns a descriptive error when that happens. Change-Id: I671958c69265a1e77207981a439a66dccda87064 Reviewed-on: https://review.monogon.dev/c/monogon/+/673 Reviewed-by: Leopold Schabel <leo@nexantic.com>

commit: ed6bcacf756182ee62d249e3675ff050dcbc6800 [log] [tgz]
author: Lorenz Brun <lorenz@monogon.tech> Wed May 04 17:39:41 2022 +0200
committer: Lorenz Brun <lorenz@monogon.tech> Wed May 04 17:49:54 2022 +0000
tree: af1b4ea39b5a4ff2c9e1403748697b6869296938
parent: e11ffb67bab34f1faa439b13aeb2630d86714441 [diff]
diff --git a/metropolis/pkg/tpm/tpm.go b/metropolis/pkg/tpm/tpm.go
index 2b7d20d..2ad1aaa 100644
--- a/metropolis/pkg/tpm/tpm.go
+++ b/metropolis/pkg/tpm/tpm.go

@@ -280,6 +280,9 @@
 	if err := proto.Unmarshal(data, &sealedBytes); err != nil {
 		return []byte{}, errors.Wrap(err, "failed to unmarshal sealed data")
 	}
+	if sealedBytes.SealedKey == nil {
+		return []byte{}, fmt.Errorf("sealed data structure is invalid: no sealed key")
+	}
 	// Logging this for auditing purposes
 	pcrList := []string{}
 	for _, pcr := range sealedBytes.SealedKey.Pcrs {
commit	ed6bcacf756182ee62d249e3675ff050dcbc6800	[log] [tgz]
author	Lorenz Brun <lorenz@monogon.tech>	Wed May 04 17:39:41 2022 +0200
committer	Lorenz Brun <lorenz@monogon.tech>	Wed May 04 17:49:54 2022 +0000
tree	af1b4ea39b5a4ff2c9e1403748697b6869296938
parent	e11ffb67bab34f1faa439b13aeb2630d86714441 [diff]