u-boot: add CVE patches for u-boot

Add 9 patches to fix below CVE issues. CVE-2019-13103 CVE-2019-13104 CVE-2019-13105 CVE-2019-13106 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 (From OE-Core rev: db22dbe158dcb2298bfd74ff6cbba31f67488035) Signed-off-by: Meng Li <Meng.Li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Limeng <Meng.Li@windriver.com> 2019-09-26 09:46:07 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-09-27 13:02:16 +0100
commit: 205069a9e858c595989335af32319c4720242bfd (patch)
tree: cca193e0e3840bed02fe0c46818e5108f23f9f3d /meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
parent: 91b787334a84c2f0475eb4af5883b3837023aa61 (diff)
download: poky-205069a9e858c595989335af32319c4720242bfd.tar.gz
1 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
new file mode 100644
index 0000000000..8e1a1a9943
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
@@ -0,0 +1,56 @@
+From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:07 -0700
+Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
+In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
+the destination memory region. This patch adds a check to disallow
+this.
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=e205896c5383c938274262524adceb2775fb03ba]
+CVE: CVE-2019-13106
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index e2b740cac4..37b31d9f0f 100644
+--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
+@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+        lbaint_t delayed_skipfirst = 0;
+        lbaint_t delayed_next = 0;
+        char *delayed_buf = NULL;
+       char *start_buf = buf;
+        short status;
+        struct ext_block_cache cache;
+ 
+@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+                        }
+                } else {
+                        int n;
+                       int n_left;
+                        if (previous_block_number != -1) {
+                                /* spill */
+                                status = ext4fs_devread(delayed_start,
+@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+                        }
+                        /* Zero no more than `len' bytes. */
+                        n = blocksize - skipfirst;
+-                       if (n > len)
+-                               n = len;
+                       n_left = len - ( buf - start_buf );
+                       if (n > n_left)
+                               n = n_left;
+                        memset(buf, 0, n);
+                }
+                buf += blocksize - skipfirst;
+-- 
+2.17.1
author	Limeng <Meng.Li@windriver.com>	2019-09-26 09:46:07 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-27 13:02:16 +0100
commit	205069a9e858c595989335af32319c4720242bfd (patch)
tree	cca193e0e3840bed02fe0c46818e5108f23f9f3d /meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
parent	91b787334a84c2f0475eb4af5883b3837023aa61 (diff)
download	poky-205069a9e858c595989335af32319c4720242bfd.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch new file mode 100644 index 0000000000..8e1a1a9943 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
@@ -0,0 +1,56 @@
	1	From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
	2	From: Paul Emge <paulemge@forallsecure.com>
	3	Date: Mon, 8 Jul 2019 16:37:07 -0700
	4	Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
	5
	6	In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
	7	the destination memory region. This patch adds a check to disallow
	8	this.
	9
	10	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
	11
	12	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
	13	h=e205896c5383c938274262524adceb2775fb03ba]
	14
	15	CVE: CVE-2019-13106
	16
	17	Signed-off-by: Meng Li <Meng.Li@windriver.com>
	18	---
	19	fs/ext4/ext4fs.c \| 7 +++++--
	20	1 file changed, 5 insertions(+), 2 deletions(-)
	21
	22	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
	23	index e2b740cac4..37b31d9f0f 100644
	24	--- a/fs/ext4/ext4fs.c
	25	+++ b/fs/ext4/ext4fs.c
	26	@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
	27	lbaint_t delayed_skipfirst = 0;
	28	lbaint_t delayed_next = 0;
	29	char *delayed_buf = NULL;
	30	+ char *start_buf = buf;
	31	short status;
	32	struct ext_block_cache cache;
	33
	34	@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
	35	}
	36	} else {
	37	int n;
	38	+ int n_left;
	39	if (previous_block_number != -1) {
	40	/* spill */
	41	status = ext4fs_devread(delayed_start,
	42	@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
	43	}
	44	/* Zero no more than `len' bytes. */
	45	n = blocksize - skipfirst;
	46	- if (n > len)
	47	- n = len;
	48	+ n_left = len - ( buf - start_buf );
	49	+ if (n > n_left)
	50	+ n = n_left;
	51	memset(buf, 0, n);
	52	}
	53	buf += blocksize - skipfirst;
	54	--
	55	2.17.1
	56