diff options
Diffstat (limited to 'meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch')
-rw-r--r-- | meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch new file mode 100644 index 000000000..6b5022533 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 89621b1ce67065fb9044b73c215862fc8aef523f Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 16:51:49 +0000 | ||
4 | Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info | ||
5 | |||
6 | Partial fix for CVE-2020-5208, see | ||
7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
8 | |||
9 | The `ipmi_get_session_info` function does not properly check the | ||
10 | response `data_len`, which is used as a copy size, allowing stack buffer | ||
11 | overflow. | ||
12 | |||
13 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22] | ||
14 | CVE: CVE-2020-5208 | ||
15 | |||
16 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
17 | --- | ||
18 | lib/ipmi_session.c | 12 ++++++++---- | ||
19 | 1 file changed, 8 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c | ||
22 | index 141f0f4..b9af1fd 100644 | ||
23 | --- a/lib/ipmi_session.c | ||
24 | +++ b/lib/ipmi_session.c | ||
25 | @@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, | ||
26 | } | ||
27 | else | ||
28 | { | ||
29 | - memcpy(&session_info, rsp->data, rsp->data_len); | ||
30 | - print_session_info(&session_info, rsp->data_len); | ||
31 | + memcpy(&session_info, rsp->data, | ||
32 | + __min(rsp->data_len, sizeof(session_info))); | ||
33 | + print_session_info(&session_info, | ||
34 | + __min(rsp->data_len, sizeof(session_info))); | ||
35 | } | ||
36 | break; | ||
37 | |||
38 | @@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, | ||
39 | break; | ||
40 | } | ||
41 | |||
42 | - memcpy(&session_info, rsp->data, rsp->data_len); | ||
43 | - print_session_info(&session_info, rsp->data_len); | ||
44 | + memcpy(&session_info, rsp->data, | ||
45 | + __min(rsp->data_len, sizeof(session_info))); | ||
46 | + print_session_info(&session_info, | ||
47 | + __min(rsp->data_len, sizeof(session_info))); | ||
48 | |||
49 | } while (i <= session_info.session_slot_count); | ||
50 | break; | ||
51 | -- | ||
52 | 2.23.0 | ||
53 | |||