diff options
Diffstat (limited to 'meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch')
-rw-r--r-- | meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 000000000..50a5635a0 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 16b10ba5d3a368cd0ed90e9789553c306f1136a6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 16:44:18 +0000 | ||
4 | Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru | ||
5 | |||
6 | Partial fix for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | The `ipmi_spd_print_fru` function has a similar issue as the one fixed | ||
10 | by the previous commit in `read_fru_area_section`. An initial request is | ||
11 | made to get the `fru.size`, which is used as the size for the allocation | ||
12 | of `spd_data`. Inside a loop, further requests are performed to get the | ||
13 | copy sizes which are not checked before being used as the size for a | ||
14 | copy into the buffer. | ||
15 | |||
16 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10] | ||
17 | CVE: CVE-2020-5208 | ||
18 | |||
19 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
20 | --- | ||
21 | lib/dimm_spd.c | 9 ++++++++- | ||
22 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c | ||
25 | index 41e30db..68f3b4f 100644 | ||
26 | --- a/lib/dimm_spd.c | ||
27 | +++ b/lib/dimm_spd.c | ||
28 | @@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) | ||
29 | struct ipmi_rq req; | ||
30 | struct fru_info fru; | ||
31 | uint8_t *spd_data, msg_data[4]; | ||
32 | - int len, offset; | ||
33 | + uint32_t len, offset; | ||
34 | |||
35 | msg_data[0] = id; | ||
36 | |||
37 | @@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) | ||
38 | } | ||
39 | |||
40 | len = rsp->data[0]; | ||
41 | + if(rsp->data_len < 1 | ||
42 | + || len > rsp->data_len - 1 | ||
43 | + || len > fru.size - offset) | ||
44 | + { | ||
45 | + printf(" Not enough buffer size"); | ||
46 | + return -1; | ||
47 | + } | ||
48 | memcpy(&spd_data[offset], rsp->data + 1, len); | ||
49 | offset += len; | ||
50 | } while (offset < fru.size); | ||
51 | -- | ||
52 | 2.23.0 | ||
53 | |||