diff options
Diffstat (limited to 'meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch')
-rw-r--r-- | meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch new file mode 100644 index 000000000..480090b92 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 2a84669ea0d685b4a2ccb664fa3236ec5f19a80a Mon Sep 17 00:00:00 2001 | ||
2 | From: Chrostoper Ertl <chertl@microsoft.com> | ||
3 | Date: Thu, 28 Nov 2019 16:56:38 +0000 | ||
4 | Subject: [PATCH 4/6] channel: Fix buffer overflow | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Partial fix for CVE-2020-5208, see | ||
10 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp | ||
11 | |||
12 | The `ipmi_get_channel_cipher_suites` function does not properly check | ||
13 | the final response’s `data_len`, which can lead to stack buffer overflow | ||
14 | on the final copy. | ||
15 | |||
16 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4] | ||
17 | CVE: CVE-2020-5208 | ||
18 | |||
19 | [Make some changes to apply it] | ||
20 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
21 | --- | ||
22 | include/ipmitool/ipmi_channel.h | 2 ++ | ||
23 | lib/ipmi_channel.c | 10 ++++++++-- | ||
24 | 2 files changed, 10 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h | ||
27 | index b138c26..d7cce5e 100644 | ||
28 | --- a/include/ipmitool/ipmi_channel.h | ||
29 | +++ b/include/ipmitool/ipmi_channel.h | ||
30 | @@ -77,6 +77,8 @@ struct channel_access_t { | ||
31 | uint8_t user_level_auth; | ||
32 | }; | ||
33 | |||
34 | +#define MAX_CIPHER_SUITE_DATA_LEN 0x10 | ||
35 | + | ||
36 | /* | ||
37 | * The Get Authentication Capabilities response structure | ||
38 | * From table 22-15 of the IPMI v2.0 spec | ||
39 | diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c | ||
40 | index fab2e54..76ecdcd 100644 | ||
41 | --- a/lib/ipmi_channel.c | ||
42 | +++ b/lib/ipmi_channel.c | ||
43 | @@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, | ||
44 | lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); | ||
45 | return -1; | ||
46 | } | ||
47 | - if (rsp->ccode > 0) { | ||
48 | + if (rsp->ccode | ||
49 | + || rsp->data_len < 1 | ||
50 | + || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) | ||
51 | + { | ||
52 | lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", | ||
53 | val2str(rsp->ccode, completion_code_vals)); | ||
54 | return -1; | ||
55 | @@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, | ||
56 | lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); | ||
57 | return -1; | ||
58 | } | ||
59 | - if (rsp->ccode > 0) { | ||
60 | + if (rsp->ccode | ||
61 | + || rsp->data_len < 1 | ||
62 | + || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) | ||
63 | + { | ||
64 | lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", | ||
65 | val2str(rsp->ccode, completion_code_vals)); | ||
66 | return -1; | ||
67 | -- | ||
68 | 2.23.0 | ||
69 | |||