1 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
new file mode 100644
index 000000000..50a5635a0
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
@@ -0,0 +1,53 @@
+From 16b10ba5d3a368cd0ed90e9789553c306f1136a6 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:44:18 +0000
+Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+The `ipmi_spd_print_fru` function has a similar issue as the one fixed
+by the previous commit in `read_fru_area_section`. An initial request is
+made to get the `fru.size`, which is used as the size for the allocation
+of `spd_data`. Inside a loop, further requests are performed to get the
+copy sizes which are not checked before being used as the size for a
+copy into the buffer.
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10]
+CVE: CVE-2020-5208
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/dimm_spd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 41e30db..68f3b4f 100644
+--- a/lib/dimm_spd.c
+++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+        struct ipmi_rq req;
+        struct fru_info fru;
+        uint8_t *spd_data, msg_data[4];
+-       int len, offset;
+       uint32_t len, offset;
+ 
+        msg_data[0] = id;
+ 
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+                }
+ 
+                len = rsp->data[0];
+               if(rsp->data_len < 1
+                  || len > rsp->data_len - 1
+                  || len > fru.size - offset)
+               {
+                       printf(" Not enough buffer size");
+                       return -1;
+               }
+                memcpy(&spd_data[offset], rsp->data + 1, len);
+                offset += len;
+        } while (offset < fru.size);
+-- 
+2.23.0

diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 000000000..50a5635a0 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
@@ -0,0 +1,53 @@
	1	From 16b10ba5d3a368cd0ed90e9789553c306f1136a6 Mon Sep 17 00:00:00 2001
	2	From: Chrostoper Ertl <chertl@microsoft.com>
	3	Date: Thu, 28 Nov 2019 16:44:18 +0000
	4	Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru
	5
	6	Partial fix for CVE-2020-5208, see
	7	https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
	8
	9	The `ipmi_spd_print_fru` function has a similar issue as the one fixed
	10	by the previous commit in `read_fru_area_section`. An initial request is
	11	made to get the `fru.size`, which is used as the size for the allocation
	12	of `spd_data`. Inside a loop, further requests are performed to get the
	13	copy sizes which are not checked before being used as the size for a
	14	copy into the buffer.
	15
	16	Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10]
	17	CVE: CVE-2020-5208
	18
	19	Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
	20	---
	21	lib/dimm_spd.c \| 9 ++++++++-
	22	1 file changed, 8 insertions(+), 1 deletion(-)
	23
	24	diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
	25	index 41e30db..68f3b4f 100644
	26	--- a/lib/dimm_spd.c
	27	+++ b/lib/dimm_spd.c
	28	@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
	29	struct ipmi_rq req;
	30	struct fru_info fru;
	31	uint8_t *spd_data, msg_data[4];
	32	- int len, offset;
	33	+ uint32_t len, offset;
	34
	35	msg_data[0] = id;
	36
	37	@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
	38	}
	39
	40	len = rsp->data[0];
	41	+ if(rsp->data_len < 1
	42	+ \|\| len > rsp->data_len - 1
	43	+ \|\| len > fru.size - offset)
	44	+ {
	45	+ printf(" Not enough buffer size");
	46	+ return -1;
	47	+ }
	48	memcpy(&spd_data[offset], rsp->data + 1, len);
	49	offset += len;
	50	} while (offset < fru.size);
	51	--
	52	2.23.0
	53