diff options
author | Wenlin Kang <wenlin.kang@windriver.com> | 2020-03-17 07:41:19 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2020-03-21 19:47:04 -0700 |
commit | 8c218ae9ace9613a2aa9d3fc700bae9020991194 (patch) | |
tree | 795802beb3510a722546da48c88130c5f3efd10b | |
parent | 22862f7bdc690268ab44548576f002cf585a6f78 (diff) | |
download | meta-openembedded-8c218ae9ace9613a2aa9d3fc700bae9020991194.tar.gz |
ipmitool: fix CVE-2020-5208
Fix CVE-2020-5208
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
7 files changed, 550 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch new file mode 100644 index 000000000..aeb0da80e --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From 2542bade29c192370ca897eab67c40f27b8912f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Wed, 12 Feb 2020 12:32:00 +0800 | ||
4 | Subject: [PATCH 1/6] fru: Fix buffer overflow vulnerabilities | ||
5 | |||
6 | Partial fix for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | The `read_fru_area_section` function only performs size validation of | ||
10 | requested read size, and falsely assumes that the IPMI message will not | ||
11 | respond with more than the requested amount of data; it uses the | ||
12 | unvalidated response size to copy into `frubuf`. If the response is | ||
13 | larger than the request, this can result in overflowing the buffer. | ||
14 | |||
15 | The same issue affects the `read_fru_area` function. | ||
16 | |||
17 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2] | ||
18 | CVE: CVE-2020-5208 | ||
19 | |||
20 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
21 | --- | ||
22 | lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++-- | ||
23 | 1 file changed, 31 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c | ||
26 | index cf00eff..af99aa9 100644 | ||
27 | --- a/lib/ipmi_fru.c | ||
28 | +++ b/lib/ipmi_fru.c | ||
29 | @@ -615,7 +615,10 @@ int | ||
30 | read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
31 | uint32_t offset, uint32_t length, uint8_t *frubuf) | ||
32 | { | ||
33 | - uint32_t off = offset, tmp, finish; | ||
34 | + uint32_t off = offset; | ||
35 | + uint32_t tmp; | ||
36 | + uint32_t finish; | ||
37 | + uint32_t size_left_in_buffer; | ||
38 | struct ipmi_rs * rsp; | ||
39 | struct ipmi_rq req; | ||
40 | uint8_t msg_data[4]; | ||
41 | @@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
42 | |||
43 | finish = offset + length; | ||
44 | if (finish > fru->size) { | ||
45 | + memset(frubuf + fru->size, 0, length - fru->size); | ||
46 | finish = fru->size; | ||
47 | lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " | ||
48 | "Adjusting to %d", | ||
49 | offset + length, finish - offset); | ||
50 | + length = finish - offset; | ||
51 | } | ||
52 | |||
53 | memset(&req, 0, sizeof(req)); | ||
54 | @@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
55 | } | ||
56 | } | ||
57 | |||
58 | + size_left_in_buffer = length; | ||
59 | do { | ||
60 | tmp = fru->access ? off >> 1 : off; | ||
61 | msg_data[0] = id; | ||
62 | @@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
63 | } | ||
64 | |||
65 | tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; | ||
66 | + if(rsp->data_len < 1 | ||
67 | + || tmp > rsp->data_len - 1 | ||
68 | + || tmp > size_left_in_buffer) | ||
69 | + { | ||
70 | + printf(" Not enough buffer size"); | ||
71 | + return -1; | ||
72 | + } | ||
73 | + | ||
74 | memcpy(frubuf, rsp->data + 1, tmp); | ||
75 | off += tmp; | ||
76 | frubuf += tmp; | ||
77 | + size_left_in_buffer -= tmp; | ||
78 | /* sometimes the size returned in the Info command | ||
79 | * is too large. return 0 so higher level function | ||
80 | * still attempts to parse what was returned */ | ||
81 | @@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
82 | uint32_t offset, uint32_t length, uint8_t *frubuf) | ||
83 | { | ||
84 | static uint32_t fru_data_rqst_size = 20; | ||
85 | - uint32_t off = offset, tmp, finish; | ||
86 | + uint32_t off = offset; | ||
87 | + uint32_t tmp, finish; | ||
88 | + uint32_t size_left_in_buffer; | ||
89 | struct ipmi_rs * rsp; | ||
90 | struct ipmi_rq req; | ||
91 | uint8_t msg_data[4]; | ||
92 | @@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
93 | |||
94 | finish = offset + length; | ||
95 | if (finish > fru->size) { | ||
96 | + memset(frubuf + fru->size, 0, length - fru->size); | ||
97 | finish = fru->size; | ||
98 | lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " | ||
99 | "Adjusting to %d", | ||
100 | offset + length, finish - offset); | ||
101 | + length = finish - offset; | ||
102 | } | ||
103 | |||
104 | memset(&req, 0, sizeof(req)); | ||
105 | @@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
106 | if (fru->access && fru_data_rqst_size > 16) | ||
107 | #endif | ||
108 | fru_data_rqst_size = 16; | ||
109 | + | ||
110 | + size_left_in_buffer = length; | ||
111 | do { | ||
112 | tmp = fru->access ? off >> 1 : off; | ||
113 | msg_data[0] = id; | ||
114 | @@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
115 | } | ||
116 | |||
117 | tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; | ||
118 | + if(rsp->data_len < 1 | ||
119 | + || tmp > rsp->data_len - 1 | ||
120 | + || tmp > size_left_in_buffer) | ||
121 | + { | ||
122 | + printf(" Not enough buffer size"); | ||
123 | + return -1; | ||
124 | + } | ||
125 | memcpy((frubuf + off)-offset, rsp->data + 1, tmp); | ||
126 | off += tmp; | ||
127 | + size_left_in_buffer -= tmp; | ||
128 | |||
129 | /* sometimes the size returned in the Info command | ||
130 | * is too large. return 0 so higher level function | ||
131 | -- | ||
132 | 2.23.0 | ||
133 | |||
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 000000000..50a5635a0 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 16b10ba5d3a368cd0ed90e9789553c306f1136a6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 16:44:18 +0000 | ||
4 | Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru | ||
5 | |||
6 | Partial fix for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | The `ipmi_spd_print_fru` function has a similar issue as the one fixed | ||
10 | by the previous commit in `read_fru_area_section`. An initial request is | ||
11 | made to get the `fru.size`, which is used as the size for the allocation | ||
12 | of `spd_data`. Inside a loop, further requests are performed to get the | ||
13 | copy sizes which are not checked before being used as the size for a | ||
14 | copy into the buffer. | ||
15 | |||
16 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10] | ||
17 | CVE: CVE-2020-5208 | ||
18 | |||
19 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
20 | --- | ||
21 | lib/dimm_spd.c | 9 ++++++++- | ||
22 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c | ||
25 | index 41e30db..68f3b4f 100644 | ||
26 | --- a/lib/dimm_spd.c | ||
27 | +++ b/lib/dimm_spd.c | ||
28 | @@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) | ||
29 | struct ipmi_rq req; | ||
30 | struct fru_info fru; | ||
31 | uint8_t *spd_data, msg_data[4]; | ||
32 | - int len, offset; | ||
33 | + uint32_t len, offset; | ||
34 | |||
35 | msg_data[0] = id; | ||
36 | |||
37 | @@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) | ||
38 | } | ||
39 | |||
40 | len = rsp->data[0]; | ||
41 | + if(rsp->data_len < 1 | ||
42 | + || len > rsp->data_len - 1 | ||
43 | + || len > fru.size - offset) | ||
44 | + { | ||
45 | + printf(" Not enough buffer size"); | ||
46 | + return -1; | ||
47 | + } | ||
48 | memcpy(&spd_data[offset], rsp->data + 1, len); | ||
49 | offset += len; | ||
50 | } while (offset < fru.size); | ||
51 | -- | ||
52 | 2.23.0 | ||
53 | |||
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch new file mode 100644 index 000000000..6b5022533 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 89621b1ce67065fb9044b73c215862fc8aef523f Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 16:51:49 +0000 | ||
4 | Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info | ||
5 | |||
6 | Partial fix for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | The `ipmi_get_session_info` function does not properly check the | ||
10 | response `data_len`, which is used as a copy size, allowing stack buffer | ||
11 | overflow. | ||
12 | |||
13 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22] | ||
14 | CVE: CVE-2020-5208 | ||
15 | |||
16 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
17 | --- | ||
18 | lib/ipmi_session.c | 12 ++++++++---- | ||
19 | 1 file changed, 8 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c | ||
22 | index 141f0f4..b9af1fd 100644 | ||
23 | --- a/lib/ipmi_session.c | ||
24 | +++ b/lib/ipmi_session.c | ||
25 | @@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, | ||
26 | } | ||
27 | else | ||
28 | { | ||
29 | - memcpy(&session_info, rsp->data, rsp->data_len); | ||
30 | - print_session_info(&session_info, rsp->data_len); | ||
31 | + memcpy(&session_info, rsp->data, | ||
32 | + __min(rsp->data_len, sizeof(session_info))); | ||
33 | + print_session_info(&session_info, | ||
34 | + __min(rsp->data_len, sizeof(session_info))); | ||
35 | } | ||
36 | break; | ||
37 | |||
38 | @@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, | ||
39 | break; | ||
40 | } | ||
41 | |||
42 | - memcpy(&session_info, rsp->data, rsp->data_len); | ||
43 | - print_session_info(&session_info, rsp->data_len); | ||
44 | + memcpy(&session_info, rsp->data, | ||
45 | + __min(rsp->data_len, sizeof(session_info))); | ||
46 | + print_session_info(&session_info, | ||
47 | + __min(rsp->data_len, sizeof(session_info))); | ||
48 | |||
49 | } while (i <= session_info.session_slot_count); | ||
50 | break; | ||
51 | -- | ||
52 | 2.23.0 | ||
53 | |||
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch new file mode 100644 index 000000000..480090b92 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 2a84669ea0d685b4a2ccb664fa3236ec5f19a80a Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 16:56:38 +0000 | ||
4 | Subject: [PATCH 4/6] channel: Fix buffer overflow | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Partial fix for CVE-2020-5208, see | ||
10 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
11 | |||
12 | The `ipmi_get_channel_cipher_suites` function does not properly check | ||
13 | the final response’s `data_len`, which can lead to stack buffer overflow | ||
14 | on the final copy. | ||
15 | |||
16 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4] | ||
17 | CVE: CVE-2020-5208 | ||
18 | |||
19 | [Make some changes to apply it] | ||
20 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
21 | --- | ||
22 | include/ipmitool/ipmi_channel.h | 2 ++ | ||
23 | lib/ipmi_channel.c | 10 ++++++++-- | ||
24 | 2 files changed, 10 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h | ||
27 | index b138c26..d7cce5e 100644 | ||
28 | --- a/include/ipmitool/ipmi_channel.h | ||
29 | +++ b/include/ipmitool/ipmi_channel.h | ||
30 | @@ -77,6 +77,8 @@ struct channel_access_t { | ||
31 | uint8_t user_level_auth; | ||
32 | }; | ||
33 | |||
34 | +#define MAX_CIPHER_SUITE_DATA_LEN 0x10 | ||
35 | + | ||
36 | /* | ||
37 | * The Get Authentication Capabilities response structure | ||
38 | * From table 22-15 of the IPMI v2.0 spec | ||
39 | diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c | ||
40 | index fab2e54..76ecdcd 100644 | ||
41 | --- a/lib/ipmi_channel.c | ||
42 | +++ b/lib/ipmi_channel.c | ||
43 | @@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, | ||
44 | lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); | ||
45 | return -1; | ||
46 | } | ||
47 | - if (rsp->ccode > 0) { | ||
48 | + if (rsp->ccode | ||
49 | + || rsp->data_len < 1 | ||
50 | + || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) | ||
51 | + { | ||
52 | lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", | ||
53 | val2str(rsp->ccode, completion_code_vals)); | ||
54 | return -1; | ||
55 | @@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, | ||
56 | lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); | ||
57 | return -1; | ||
58 | } | ||
59 | - if (rsp->ccode > 0) { | ||
60 | + if (rsp->ccode | ||
61 | + || rsp->data_len < 1 | ||
62 | + || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) | ||
63 | + { | ||
64 | lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", | ||
65 | val2str(rsp->ccode, completion_code_vals)); | ||
66 | return -1; | ||
67 | -- | ||
68 | 2.23.0 | ||
69 | |||
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch new file mode 100644 index 000000000..1b1dec1c1 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From f45e6d84b75dcd649e18c9256c136cda354de6fd Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 17:06:39 +0000 | ||
4 | Subject: [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Partial fix for CVE-2020-5208, see | ||
10 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
11 | |||
12 | The `get_lan_param_select` function is missing a validation check on the | ||
13 | response’s `data_len`, which it then returns to caller functions, where | ||
14 | stack buffer overflow can occur. | ||
15 | |||
16 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10] | ||
17 | CVE: CVE-2020-5208 | ||
18 | |||
19 | [Make some changes to apply it] | ||
20 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
21 | --- | ||
22 | lib/ipmi_lanp.c | 14 +++++++------- | ||
23 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
24 | |||
25 | diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c | ||
26 | index 65d881b..022c7f1 100644 | ||
27 | --- a/lib/ipmi_lanp.c | ||
28 | +++ b/lib/ipmi_lanp.c | ||
29 | @@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
30 | if (p == NULL) { | ||
31 | return (-1); | ||
32 | } | ||
33 | - memcpy(data, p->data, p->data_len); | ||
34 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
35 | /* set new ipaddr */ | ||
36 | memcpy(data+3, temp, 4); | ||
37 | printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, | ||
38 | @@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
39 | if (p == NULL) { | ||
40 | return (-1); | ||
41 | } | ||
42 | - memcpy(data, p->data, p->data_len); | ||
43 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
44 | /* set new macaddr */ | ||
45 | memcpy(data+7, temp, 6); | ||
46 | printf("Setting LAN Alert %d MAC Address to " | ||
47 | @@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
48 | if (p == NULL) { | ||
49 | return (-1); | ||
50 | } | ||
51 | - memcpy(data, p->data, p->data_len); | ||
52 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
53 | |||
54 | if (strncasecmp(argv[1], "def", 3) == 0 || | ||
55 | strncasecmp(argv[1], "default", 7) == 0) { | ||
56 | @@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
57 | if (p == NULL) { | ||
58 | return (-1); | ||
59 | } | ||
60 | - memcpy(data, p->data, p->data_len); | ||
61 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
62 | |||
63 | if (strncasecmp(argv[1], "on", 2) == 0 || | ||
64 | strncasecmp(argv[1], "yes", 3) == 0) { | ||
65 | @@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
66 | if (p == NULL) { | ||
67 | return (-1); | ||
68 | } | ||
69 | - memcpy(data, p->data, p->data_len); | ||
70 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
71 | |||
72 | if (strncasecmp(argv[1], "pet", 3) == 0) { | ||
73 | printf("Setting LAN Alert %d destination to PET Trap\n", alert); | ||
74 | @@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
75 | if (p == NULL) { | ||
76 | return (-1); | ||
77 | } | ||
78 | - memcpy(data, p->data, p->data_len); | ||
79 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
80 | |||
81 | if (str2uchar(argv[1], &data[2]) != 0) { | ||
82 | lprintf(LOG_ERR, "Invalid time: %s", argv[1]); | ||
83 | @@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, | ||
84 | if (p == NULL) { | ||
85 | return (-1); | ||
86 | } | ||
87 | - memcpy(data, p->data, p->data_len); | ||
88 | + memcpy(data, p->data, __min(p->data_len, sizeof(data))); | ||
89 | |||
90 | if (str2uchar(argv[1], &data[3]) != 0) { | ||
91 | lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); | ||
92 | -- | ||
93 | 2.23.0 | ||
94 | |||
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch new file mode 100644 index 000000000..38ca41b68 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch | |||
@@ -0,0 +1,142 @@ | |||
1 | From 401b7dda5ad1beada4791d54a7e75880f2a4fc24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 17:13:45 +0000 | ||
4 | Subject: [PATCH 6/6] fru, sdr: Fix id_string buffer overflows | ||
5 | |||
6 | Final part of the fixes for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | 9 variants of stack buffer overflow when parsing `id_string` field of | ||
10 | SDR records returned from `CMD_GET_SDR` command. | ||
11 | |||
12 | SDR record structs have an `id_code` field, and an `id_string` `char` | ||
13 | array. | ||
14 | |||
15 | The length of `id_string` is calculated as `(id_code & 0x1f) + 1`, | ||
16 | which can be larger than expected 16 characters (if `id_code = 0xff`, | ||
17 | then length will be `(0xff & 0x1f) + 1 = 32`). | ||
18 | |||
19 | In numerous places, this can cause stack buffer overflow when copying | ||
20 | into fixed buffer of size `17` bytes from this calculated length. | ||
21 | |||
22 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637] | ||
23 | CVE: CVE-2020-5208 | ||
24 | |||
25 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
26 | --- | ||
27 | lib/ipmi_fru.c | 2 +- | ||
28 | lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- | ||
29 | 2 files changed, 25 insertions(+), 17 deletions(-) | ||
30 | |||
31 | diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c | ||
32 | index af99aa9..98bc984 100644 | ||
33 | --- a/lib/ipmi_fru.c | ||
34 | +++ b/lib/ipmi_fru.c | ||
35 | @@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru) | ||
36 | return 0; | ||
37 | |||
38 | memset(desc, 0, sizeof(desc)); | ||
39 | - memcpy(desc, fru->id_string, fru->id_code & 0x01f); | ||
40 | + memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); | ||
41 | desc[fru->id_code & 0x01f] = 0; | ||
42 | printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); | ||
43 | |||
44 | diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c | ||
45 | index 2a9cbe3..62aac08 100644 | ||
46 | --- a/lib/ipmi_sdr.c | ||
47 | +++ b/lib/ipmi_sdr.c | ||
48 | @@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf, | ||
49 | return -1; | ||
50 | |||
51 | memset(desc, 0, sizeof (desc)); | ||
52 | - snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); | ||
53 | + snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); | ||
54 | |||
55 | if (verbose) { | ||
56 | printf("Sensor ID : %s (0x%x)\n", | ||
57 | @@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf, | ||
58 | return -1; | ||
59 | |||
60 | memset(desc, 0, sizeof (desc)); | ||
61 | - snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); | ||
62 | + snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); | ||
63 | |||
64 | if (verbose == 0) { | ||
65 | if (csv_output) | ||
66 | @@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf, | ||
67 | char desc[17]; | ||
68 | |||
69 | memset(desc, 0, sizeof (desc)); | ||
70 | - snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); | ||
71 | + snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); | ||
72 | |||
73 | if (!verbose) { | ||
74 | if (csv_output) | ||
75 | @@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf, | ||
76 | char desc[17]; | ||
77 | |||
78 | memset(desc, 0, sizeof (desc)); | ||
79 | - snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); | ||
80 | + snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); | ||
81 | |||
82 | if (!verbose) { | ||
83 | if (csv_output) | ||
84 | @@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id, | ||
85 | |||
86 | int rc =0; | ||
87 | char desc[17]; | ||
88 | + const char *id_string; | ||
89 | + uint8_t id_code; | ||
90 | memset(desc, ' ', sizeof (desc)); | ||
91 | |||
92 | switch ( type) { | ||
93 | case SDR_RECORD_TYPE_FULL_SENSOR: | ||
94 | record.full = (struct sdr_record_full_sensor *) raw; | ||
95 | - snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", | ||
96 | - (const char *)record.full->id_string); | ||
97 | + id_code = record.full->id_code; | ||
98 | + id_string = record.full->id_string; | ||
99 | break; | ||
100 | + | ||
101 | case SDR_RECORD_TYPE_COMPACT_SENSOR: | ||
102 | record.compact = (struct sdr_record_compact_sensor *) raw ; | ||
103 | - snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", | ||
104 | - (const char *)record.compact->id_string); | ||
105 | + id_code = record.compact->id_code; | ||
106 | + id_string = record.compact->id_string; | ||
107 | break; | ||
108 | + | ||
109 | case SDR_RECORD_TYPE_EVENTONLY_SENSOR: | ||
110 | record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; | ||
111 | - snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", | ||
112 | - (const char *)record.eventonly->id_string); | ||
113 | - break; | ||
114 | + id_code = record.eventonly->id_code; | ||
115 | + id_string = record.eventonly->id_string; | ||
116 | + break; | ||
117 | + | ||
118 | case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: | ||
119 | record.mcloc = (struct sdr_record_mc_locator *) raw ; | ||
120 | - snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", | ||
121 | - (const char *)record.mcloc->id_string); | ||
122 | + id_code = record.mcloc->id_code; | ||
123 | + id_string = record.mcloc->id_string; | ||
124 | break; | ||
125 | + | ||
126 | default: | ||
127 | rc = -1; | ||
128 | - break; | ||
129 | - } | ||
130 | + } | ||
131 | + if (!rc) { | ||
132 | + snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); | ||
133 | + } | ||
134 | |||
135 | - lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); | ||
136 | + lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); | ||
137 | return rc; | ||
138 | } | ||
139 | |||
140 | -- | ||
141 | 2.23.0 | ||
142 | |||
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb index b7f1aa914..16dbcb291 100644 --- a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb | |||
@@ -24,6 +24,12 @@ DEPENDS = "openssl readline ncurses" | |||
24 | 24 | ||
25 | SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \ | 25 | SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \ |
26 | file://0001-Migrate-to-openssl-1.1.patch \ | 26 | file://0001-Migrate-to-openssl-1.1.patch \ |
27 | file://0001-fru-Fix-buffer-overflow-vulnerabilities.patch \ | ||
28 | file://0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch \ | ||
29 | file://0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch \ | ||
30 | file://0004-channel-Fix-buffer-overflow.patch \ | ||
31 | file://0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch \ | ||
32 | file://0006-fru-sdr-Fix-id_string-buffer-overflows.patch \ | ||
27 | " | 33 | " |
28 | SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3" | 34 | SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3" |
29 | SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01" | 35 | SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01" |