diff options
| author | Limeng <Meng.Li@windriver.com> | 2019-09-26 09:46:07 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-09-27 13:02:16 +0100 |
| commit | 205069a9e858c595989335af32319c4720242bfd (patch) | |
| tree | cca193e0e3840bed02fe0c46818e5108f23f9f3d /meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch | |
| parent | 91b787334a84c2f0475eb4af5883b3837023aa61 (diff) | |
| download | poky-205069a9e858c595989335af32319c4720242bfd.tar.gz | |
u-boot: add CVE patches for u-boot
Add 9 patches to fix below CVE issues.
CVE-2019-13103
CVE-2019-13104
CVE-2019-13105
CVE-2019-13106
CVE-2019-14192
CVE-2019-14193
CVE-2019-14194
CVE-2019-14195
CVE-2019-14196
CVE-2019-14197
CVE-2019-14198
CVE-2019-14199
CVE-2019-14200
CVE-2019-14201
CVE-2019-14202
CVE-2019-14203
CVE-2019-14204
(From OE-Core rev: db22dbe158dcb2298bfd74ff6cbba31f67488035)
Signed-off-by: Meng Li <Meng.Li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch')
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch new file mode 100644 index 0000000000..bf9fb0ef52 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
| 3 | Date: Thu, 29 Aug 2019 13:47:54 +0000 | ||
| 4 | Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with | ||
| 5 | unvalidated length at nfs_readlink_reply | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply. | ||
| 11 | |||
| 12 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
| 13 | Reported-by: FermÃn Serna <fermin@semmle.com> | ||
| 14 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
| 15 | |||
| 16 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
| 17 | h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230] | ||
| 18 | |||
| 19 | CVE: CVE-2019-14195 | ||
| 20 | |||
| 21 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
| 22 | --- | ||
| 23 | net/nfs.c | 3 +++ | ||
| 24 | 1 file changed, 3 insertions(+) | ||
| 25 | |||
| 26 | diff --git a/net/nfs.c b/net/nfs.c | ||
| 27 | index 11941fad1a..915acd95cf 100644 | ||
| 28 | --- a/net/nfs.c | ||
| 29 | +++ b/net/nfs.c | ||
| 30 | @@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len) | ||
| 31 | /* new path length */ | ||
| 32 | rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]); | ||
| 33 | |||
| 34 | + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) | ||
| 35 | + return -NFS_RPC_DROP; | ||
| 36 | + | ||
| 37 | if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') { | ||
| 38 | int pathlen; | ||
| 39 | |||
| 40 | -- | ||
| 41 | 2.17.1 | ||
| 42 | |||