diff options
Diffstat (limited to 'meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch')
-rw-r--r-- | meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch new file mode 100644 index 000000000..aeb0da80e --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From 2542bade29c192370ca897eab67c40f27b8912f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Wed, 12 Feb 2020 12:32:00 +0800 | ||
4 | Subject: [PATCH 1/6] fru: Fix buffer overflow vulnerabilities | ||
5 | |||
6 | Partial fix for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | The `read_fru_area_section` function only performs size validation of | ||
10 | requested read size, and falsely assumes that the IPMI message will not | ||
11 | respond with more than the requested amount of data; it uses the | ||
12 | unvalidated response size to copy into `frubuf`. If the response is | ||
13 | larger than the request, this can result in overflowing the buffer. | ||
14 | |||
15 | The same issue affects the `read_fru_area` function. | ||
16 | |||
17 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2] | ||
18 | CVE: CVE-2020-5208 | ||
19 | |||
20 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
21 | --- | ||
22 | lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++-- | ||
23 | 1 file changed, 31 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c | ||
26 | index cf00eff..af99aa9 100644 | ||
27 | --- a/lib/ipmi_fru.c | ||
28 | +++ b/lib/ipmi_fru.c | ||
29 | @@ -615,7 +615,10 @@ int | ||
30 | read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
31 | uint32_t offset, uint32_t length, uint8_t *frubuf) | ||
32 | { | ||
33 | - uint32_t off = offset, tmp, finish; | ||
34 | + uint32_t off = offset; | ||
35 | + uint32_t tmp; | ||
36 | + uint32_t finish; | ||
37 | + uint32_t size_left_in_buffer; | ||
38 | struct ipmi_rs * rsp; | ||
39 | struct ipmi_rq req; | ||
40 | uint8_t msg_data[4]; | ||
41 | @@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
42 | |||
43 | finish = offset + length; | ||
44 | if (finish > fru->size) { | ||
45 | + memset(frubuf + fru->size, 0, length - fru->size); | ||
46 | finish = fru->size; | ||
47 | lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " | ||
48 | "Adjusting to %d", | ||
49 | offset + length, finish - offset); | ||
50 | + length = finish - offset; | ||
51 | } | ||
52 | |||
53 | memset(&req, 0, sizeof(req)); | ||
54 | @@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
55 | } | ||
56 | } | ||
57 | |||
58 | + size_left_in_buffer = length; | ||
59 | do { | ||
60 | tmp = fru->access ? off >> 1 : off; | ||
61 | msg_data[0] = id; | ||
62 | @@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
63 | } | ||
64 | |||
65 | tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; | ||
66 | + if(rsp->data_len < 1 | ||
67 | + || tmp > rsp->data_len - 1 | ||
68 | + || tmp > size_left_in_buffer) | ||
69 | + { | ||
70 | + printf(" Not enough buffer size"); | ||
71 | + return -1; | ||
72 | + } | ||
73 | + | ||
74 | memcpy(frubuf, rsp->data + 1, tmp); | ||
75 | off += tmp; | ||
76 | frubuf += tmp; | ||
77 | + size_left_in_buffer -= tmp; | ||
78 | /* sometimes the size returned in the Info command | ||
79 | * is too large. return 0 so higher level function | ||
80 | * still attempts to parse what was returned */ | ||
81 | @@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
82 | uint32_t offset, uint32_t length, uint8_t *frubuf) | ||
83 | { | ||
84 | static uint32_t fru_data_rqst_size = 20; | ||
85 | - uint32_t off = offset, tmp, finish; | ||
86 | + uint32_t off = offset; | ||
87 | + uint32_t tmp, finish; | ||
88 | + uint32_t size_left_in_buffer; | ||
89 | struct ipmi_rs * rsp; | ||
90 | struct ipmi_rq req; | ||
91 | uint8_t msg_data[4]; | ||
92 | @@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
93 | |||
94 | finish = offset + length; | ||
95 | if (finish > fru->size) { | ||
96 | + memset(frubuf + fru->size, 0, length - fru->size); | ||
97 | finish = fru->size; | ||
98 | lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " | ||
99 | "Adjusting to %d", | ||
100 | offset + length, finish - offset); | ||
101 | + length = finish - offset; | ||
102 | } | ||
103 | |||
104 | memset(&req, 0, sizeof(req)); | ||
105 | @@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
106 | if (fru->access && fru_data_rqst_size > 16) | ||
107 | #endif | ||
108 | fru_data_rqst_size = 16; | ||
109 | + | ||
110 | + size_left_in_buffer = length; | ||
111 | do { | ||
112 | tmp = fru->access ? off >> 1 : off; | ||
113 | msg_data[0] = id; | ||
114 | @@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, | ||
115 | } | ||
116 | |||
117 | tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; | ||
118 | + if(rsp->data_len < 1 | ||
119 | + || tmp > rsp->data_len - 1 | ||
120 | + || tmp > size_left_in_buffer) | ||
121 | + { | ||
122 | + printf(" Not enough buffer size"); | ||
123 | + return -1; | ||
124 | + } | ||
125 | memcpy((frubuf + off)-offset, rsp->data + 1, tmp); | ||
126 | off += tmp; | ||
127 | + size_left_in_buffer -= tmp; | ||
128 | |||
129 | /* sometimes the size returned in the Info command | ||
130 | * is too large. return 0 so higher level function | ||
131 | -- | ||
132 | 2.23.0 | ||
133 | |||