u-boot: add CVE patches for u-boot

Add 9 patches to fix below CVE issues. CVE-2019-13103 CVE-2019-13104 CVE-2019-13105 CVE-2019-13106 CVE-2019-14192 CVE-2019-14193 CVE-2019-14194 CVE-2019-14195 CVE-2019-14196 CVE-2019-14197 CVE-2019-14198 CVE-2019-14199 CVE-2019-14200 CVE-2019-14201 CVE-2019-14202 CVE-2019-14203 CVE-2019-14204 (From OE-Core rev: db22dbe158dcb2298bfd74ff6cbba31f67488035) Signed-off-by: Meng Li <Meng.Li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Limeng <Meng.Li@windriver.com> 2019-09-26 09:46:07 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-09-27 13:02:16 +0100
commit: 205069a9e858c595989335af32319c4720242bfd (patch)
tree: cca193e0e3840bed02fe0c46818e5108f23f9f3d /meta/recipes-bsp/u-boot
parent: 91b787334a84c2f0475eb4af5883b3837023aa61 (diff)
download: poky-205069a9e858c595989335af32319c4720242bfd.tar.gz
10 files changed, 441 insertions, 1 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
new file mode 100644
index 0000000000..1a5d1eb996
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
@@ -0,0 +1,69 @@
+From 39a759494f734c4cdc3e2b919671bfb3134b41ae Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:03 -0700
+Subject: [PATCH 1/9] CVE-2019-13103: disk: stop infinite recursion in DOS
+ Partitions
+part_get_info_extended and print_partition_extended can recurse infinitely
+while parsing a self-referential filesystem or one with a silly number of
+extended partitions. This patch adds a limit to the number of recursive
+partitions.
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=232e2f4fd9a24bf08215ddc8c53ccadffc841fb5]
+CVE: CVE-2019-13103
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ disk/part_dos.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+diff --git a/disk/part_dos.c b/disk/part_dos.c
+index 936cee0d36..aae9d95906 100644
+--- a/disk/part_dos.c
+++ b/disk/part_dos.c
+@@ -23,6 +23,10 @@
+ 
+ #define DOS_PART_DEFAULT_SECTOR 512
+ 
+/* should this be configurable? It looks like it's not very common at all
+ * to use large numbers of partitions */
+#define MAX_EXT_PARTS 256
+
+ /* Convert char[4] in little endian format to the host format integer
+  */
+ static inline unsigned int le32_to_int(unsigned char *le32)
+@@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc,
+        dos_partition_t *pt;
+        int i;
+ 
+       /* set a maximum recursion level */
+       if (part_num > MAX_EXT_PARTS)
+       {
+               printf("** Nested DOS partitions detected, stopping **\n");
+               return;
+    }
+
+        if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
+                printf ("** Can't read partition table on %d:" LBAFU " **\n",
+                        dev_desc->devnum, ext_part_sector);
+@@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc,
+        int i;
+        int dos_type;
+ 
+       /* set a maximum recursion level */
+       if (part_num > MAX_EXT_PARTS)
+       {
+               printf("** Nested DOS partitions detected, stopping **\n");
+               return -1;
+    }
+
+        if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
+                printf ("** Can't read partition table on %d:" LBAFU " **\n",
+                        dev_desc->devnum, ext_part_sector);
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
new file mode 100644
index 0000000000..de122b27d0
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
@@ -0,0 +1,49 @@
+From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:05 -0700
+Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in
+ ext4fs_read_file
+in ext4fs_read_file, it is possible for a broken/malicious file
+system to cause a memcpy of a negative number of bytes, which
+overflows all memory. This patch fixes the issue by checking for
+a negative length.
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=878269dbe74229005dd7f27aca66c554e31dad8e]
+CVE: CVE-2019-13104
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index 26db677a1f..c8c8655ed8 100644
+--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
+@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ 
+        ext_cache_init(&cache);
+ 
+-       if (blocksize <= 0)
+-               return -1;
+-
+        /* Adjust len so it we can't read past the end of the file. */
+        if (len + pos > filesize)
+                len = (filesize - pos);
+ 
+       if (blocksize <= 0 || len <= 0) {
+               ext_cache_fini(&cache);
+               return -1;
+       }
+
+        blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
+ 
+        for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
new file mode 100644
index 0000000000..f525147e57
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
@@ -0,0 +1,37 @@
+From 4e937d0de669ee69cf41c20494cbf66c339c3174 Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:04 -0700
+Subject: [PATCH 3/9] CVE-2019-13105: ext4: fix double-free in ext4_cache_read
+ext_cache_read doesn't null cache->buf, after freeing, which results
+in a later function double-freeing it. This patch fixes
+ext_cache_read to call ext_cache_fini instead of free.
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=6e5a79de658cb1c8012c86e0837379aa6eabd024]
+CVE: CVE-2019-13105
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index c8c8655ed8..e2b740cac4 100644
+--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
+@@ -288,7 +288,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size)
+        if (!cache->buf)
+                return 0;
+        if (!ext4fs_devread(block, 0, size, cache->buf)) {
+-               free(cache->buf);
+               ext_cache_fini(cache);
+                return 0;
+        }
+        cache->block = block;
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
new file mode 100644
index 0000000000..8e1a1a9943
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
@@ -0,0 +1,56 @@
+From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:07 -0700
+Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
+In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
+the destination memory region. This patch adds a check to disallow
+this.
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=e205896c5383c938274262524adceb2775fb03ba]
+CVE: CVE-2019-13106
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index e2b740cac4..37b31d9f0f 100644
+--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
+@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+        lbaint_t delayed_skipfirst = 0;
+        lbaint_t delayed_next = 0;
+        char *delayed_buf = NULL;
+       char *start_buf = buf;
+        short status;
+        struct ext_block_cache cache;
+ 
+@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+                        }
+                } else {
+                        int n;
+                       int n_left;
+                        if (previous_block_number != -1) {
+                                /* spill */
+                                status = ext4fs_devread(delayed_start,
+@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+                        }
+                        /* Zero no more than `len' bytes. */
+                        n = blocksize - skipfirst;
+-                       if (n > len)
+-                               n = len;
+                       n_left = len - ( buf - start_buf );
+                       if (n > n_left)
+                               n = n_left;
+                        memset(buf, 0, n);
+                }
+                buf += blocksize - skipfirst;
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
new file mode 100644
index 0000000000..a19545a2d3
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
@@ -0,0 +1,43 @@
+From e8e602f4a4b2aacfb3da32bb8a838be15ea70e7b Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:33 +0000
+Subject: [PATCH 5/9] CVE: net: fix unbounded memcpy of UDP packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This patch adds a check to udp_len to fix unbounded memcpy for
+CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=fe7288069d2e6659117049f7d27e261b550bb725]
+CVE: CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/net.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/net/net.c b/net/net.c
+index 58b0417cbe..38105f1142 100644
+--- a/net/net.c
+++ b/net/net.c
+@@ -1252,6 +1252,9 @@ void net_process_received_packet(uchar *in_packet, int len)
+                        return;
+                }
+ 
+               if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+                       return;
+
+                debug_cond(DEBUG_DEV_PKT,
+                           "received UDP (to=%pI4, from=%pI4, len=%d)\n",
+                           &dst_ip, &src_ip, len);
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
new file mode 100644
index 0000000000..04a09e46df
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
@@ -0,0 +1,44 @@
+From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:40 +0000
+Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some
+ nfs_handler reply helper functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
+CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21]
+CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202,
+     CVE-2019-14203 and CVE-2019-14204
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/net/nfs.c b/net/nfs.c
+index d6a7f8e827..b7cf3b3a18 100644
+--- a/net/nfs.c
+++ b/net/nfs.c
+@@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 
+        debug("%s\n", __func__);
+ 
+       if (len > sizeof(struct rpc_t))
+               return;
+
+        if (dest != nfs_our_port)
+                return;
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
new file mode 100644
index 0000000000..b3e3b72ebf
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
@@ -0,0 +1,42 @@
+From fb6dc193bf2685b7574b218f7ca558aa54659e11 Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:48 +0000
+Subject: [PATCH 7/9] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy
+ with a failed length check at nfs_read_reply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=aa207cf3a6d68f39d64cd29057a4fb63943e9078]
+CVE: CVE-2019-14194 and CVE-2019-14198
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/net/nfs.c b/net/nfs.c
+index b7cf3b3a18..11941fad1a 100644
+--- a/net/nfs.c
+++ b/net/nfs.c
+@@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len)
+                        &(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
+        }
+ 
+       if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+                       return -9999;
+
+        if (store_block(data_ptr, nfs_offset, rlen))
+                        return -9999;
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
new file mode 100644
index 0000000000..bf9fb0ef52
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
@@ -0,0 +1,42 @@
+From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:54 +0000
+Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with
+ unvalidated length at nfs_readlink_reply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230]
+CVE: CVE-2019-14195
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/net/nfs.c b/net/nfs.c
+index 11941fad1a..915acd95cf 100644
+--- a/net/nfs.c
+++ b/net/nfs.c
+@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
+        /* new path length */
+        rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+ 
+       if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+               return -NFS_RPC_DROP;
+
+        if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
+                int pathlen;
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
new file mode 100644
index 0000000000..f06e025297
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
@@ -0,0 +1,48 @@
+From 74c468caa95c86cdb12c4b8073e154c435ac0bf7 Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:48:02 +0000
+Subject: [PATCH 9/9] CVE-2019-14196: nfs: fix unbounded memcpy with a failed
+ length check at nfs_lookup_reply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+                 h=5d14ee4e53a81055d34ba280cb8fd90330f22a96]
+CVE: CVE-2019-14196
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/net/nfs.c b/net/nfs.c
+index 915acd95cf..89952aeb66 100644
+--- a/net/nfs.c
+++ b/net/nfs.c
+@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
+        }
+ 
+        if (supported_nfs_versions & NFSV2_FLAG) {
+               if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len)
+                       return -NFS_RPC_DROP;
+                memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
+        } else {  /* NFSV3_FLAG */
+                filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+                if (filefh3_length > NFS3_FHSIZE)
+                        filefh3_length  = NFS3_FHSIZE;
+               if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
+                       return -NFS_RPC_DROP;
+                memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
+        }
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index a056eae8ce..f63dfa3b73 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,6 +14,16 @@ PE = "1"
 # repo during parse
 SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004"
-SRC_URI = "git://git.denx.de/u-boot.git"
+SRC_URI = "git://git.denx.de/u-boot.git \
+           file://0001-CVE-2019-13103.patch \
+           file://0002-CVE-2019-13104.patch \
+           file://0003-CVE-2019-13105.patch \
+           file://0004-CVE-2019-13106.patch \
+           file://0005-CVE-2019-14192-14193-14199.patch \
+           file://0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch \
+           file://0007-CVE-2019-14194-14198.patch \
+           file://0008-CVE-2019-14195.patch \
+           file://0009-CVE-2019-14196.patch \
+"
 S = "${WORKDIR}/git"
author	Limeng <Meng.Li@windriver.com>	2019-09-26 09:46:07 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-27 13:02:16 +0100
commit	205069a9e858c595989335af32319c4720242bfd (patch)
tree	cca193e0e3840bed02fe0c46818e5108f23f9f3d /meta/recipes-bsp/u-boot
parent	91b787334a84c2f0475eb4af5883b3837023aa61 (diff)
download	poky-205069a9e858c595989335af32319c4720242bfd.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch new file mode 100644 index 0000000000..1a5d1eb996 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
@@ -0,0 +1,69 @@
		1	From 39a759494f734c4cdc3e2b919671bfb3134b41ae Mon Sep 17 00:00:00 2001
		2	From: Paul Emge <paulemge@forallsecure.com>
		3	Date: Mon, 8 Jul 2019 16:37:03 -0700
		4	Subject: [PATCH 1/9] CVE-2019-13103: disk: stop infinite recursion in DOS
		5	Partitions
		6
		7	part_get_info_extended and print_partition_extended can recurse infinitely
		8	while parsing a self-referential filesystem or one with a silly number of
		9	extended partitions. This patch adds a limit to the number of recursive
		10	partitions.
		11
		12	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
		13
		14	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		15	h=232e2f4fd9a24bf08215ddc8c53ccadffc841fb5]
		16
		17	CVE: CVE-2019-13103
		18
		19	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		20	---
		21	disk/part_dos.c \| 18 ++++++++++++++++++
		22	1 file changed, 18 insertions(+)
		23
		24	diff --git a/disk/part_dos.c b/disk/part_dos.c
		25	index 936cee0d36..aae9d95906 100644
		26	--- a/disk/part_dos.c
		27	+++ b/disk/part_dos.c
		28	@@ -23,6 +23,10 @@
		29
		30	#define DOS_PART_DEFAULT_SECTOR 512
		31
		32	+/* should this be configurable? It looks like it's not very common at all
		33	+ * to use large numbers of partitions */
		34	+#define MAX_EXT_PARTS 256
		35	+
		36	/* Convert char[4] in little endian format to the host format integer
		37	*/
		38	static inline unsigned int le32_to_int(unsigned char *le32)
		39	@@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc,
		40	dos_partition_t *pt;
		41	int i;
		42
		43	+ /* set a maximum recursion level */
		44	+ if (part_num > MAX_EXT_PARTS)
		45	+ {
		46	+ printf(" Nested DOS partitions detected, stopping \n");
		47	+ return;
		48	+ }
		49	+
		50	if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
		51	printf (" Can't read partition table on %d:" LBAFU " \n",
		52	dev_desc->devnum, ext_part_sector);
		53	@@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc,
		54	int i;
		55	int dos_type;
		56
		57	+ /* set a maximum recursion level */
		58	+ if (part_num > MAX_EXT_PARTS)
		59	+ {
		60	+ printf(" Nested DOS partitions detected, stopping \n");
		61	+ return -1;
		62	+ }
		63	+
		64	if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
		65	printf (" Can't read partition table on %d:" LBAFU " \n",
		66	dev_desc->devnum, ext_part_sector);
		67	--
		68	2.17.1
		69


diff --git a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch new file mode 100644 index 0000000000..de122b27d0 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
@@ -0,0 +1,49 @@
		1	From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001
		2	From: Paul Emge <paulemge@forallsecure.com>
		3	Date: Mon, 8 Jul 2019 16:37:05 -0700
		4	Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in
		5	ext4fs_read_file
		6
		7	in ext4fs_read_file, it is possible for a broken/malicious file
		8	system to cause a memcpy of a negative number of bytes, which
		9	overflows all memory. This patch fixes the issue by checking for
		10	a negative length.
		11
		12	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
		13
		14	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		15	h=878269dbe74229005dd7f27aca66c554e31dad8e]
		16
		17	CVE: CVE-2019-13104
		18
		19	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		20	---
		21	fs/ext4/ext4fs.c \| 8 +++++---
		22	1 file changed, 5 insertions(+), 3 deletions(-)
		23
		24	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
		25	index 26db677a1f..c8c8655ed8 100644
		26	--- a/fs/ext4/ext4fs.c
		27	+++ b/fs/ext4/ext4fs.c
		28	@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
		29
		30	ext_cache_init(&cache);
		31
		32	- if (blocksize <= 0)
		33	- return -1;
		34	-
		35	/* Adjust len so it we can't read past the end of the file. */
		36	if (len + pos > filesize)
		37	len = (filesize - pos);
		38
		39	+ if (blocksize <= 0 \|\| len <= 0) {
		40	+ ext_cache_fini(&cache);
		41	+ return -1;
		42	+ }
		43	+
		44	blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
		45
		46	for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
		47	--
		48	2.17.1
		49


diff --git a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch new file mode 100644 index 0000000000..f525147e57 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
@@ -0,0 +1,37 @@
		1	From 4e937d0de669ee69cf41c20494cbf66c339c3174 Mon Sep 17 00:00:00 2001
		2	From: Paul Emge <paulemge@forallsecure.com>
		3	Date: Mon, 8 Jul 2019 16:37:04 -0700
		4	Subject: [PATCH 3/9] CVE-2019-13105: ext4: fix double-free in ext4_cache_read
		5
		6	ext_cache_read doesn't null cache->buf, after freeing, which results
		7	in a later function double-freeing it. This patch fixes
		8	ext_cache_read to call ext_cache_fini instead of free.
		9
		10	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
		11
		12	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		13	h=6e5a79de658cb1c8012c86e0837379aa6eabd024]
		14
		15	CVE: CVE-2019-13105
		16
		17	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		18	---
		19	fs/ext4/ext4fs.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
		23	index c8c8655ed8..e2b740cac4 100644
		24	--- a/fs/ext4/ext4fs.c
		25	+++ b/fs/ext4/ext4fs.c
		26	@@ -288,7 +288,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size)
		27	if (!cache->buf)
		28	return 0;
		29	if (!ext4fs_devread(block, 0, size, cache->buf)) {
		30	- free(cache->buf);
		31	+ ext_cache_fini(cache);
		32	return 0;
		33	}
		34	cache->block = block;
		35	--
		36	2.17.1
		37


diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch new file mode 100644 index 0000000000..8e1a1a9943 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
@@ -0,0 +1,56 @@
		1	From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
		2	From: Paul Emge <paulemge@forallsecure.com>
		3	Date: Mon, 8 Jul 2019 16:37:07 -0700
		4	Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
		5
		6	In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
		7	the destination memory region. This patch adds a check to disallow
		8	this.
		9
		10	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
		11
		12	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		13	h=e205896c5383c938274262524adceb2775fb03ba]
		14
		15	CVE: CVE-2019-13106
		16
		17	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		18	---
		19	fs/ext4/ext4fs.c \| 7 +++++--
		20	1 file changed, 5 insertions(+), 2 deletions(-)
		21
		22	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
		23	index e2b740cac4..37b31d9f0f 100644
		24	--- a/fs/ext4/ext4fs.c
		25	+++ b/fs/ext4/ext4fs.c
		26	@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
		27	lbaint_t delayed_skipfirst = 0;
		28	lbaint_t delayed_next = 0;
		29	char *delayed_buf = NULL;
		30	+ char *start_buf = buf;
		31	short status;
		32	struct ext_block_cache cache;
		33
		34	@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
		35	}
		36	} else {
		37	int n;
		38	+ int n_left;
		39	if (previous_block_number != -1) {
		40	/* spill */
		41	status = ext4fs_devread(delayed_start,
		42	@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
		43	}
		44	/* Zero no more than `len' bytes. */
		45	n = blocksize - skipfirst;
		46	- if (n > len)
		47	- n = len;
		48	+ n_left = len - ( buf - start_buf );
		49	+ if (n > n_left)
		50	+ n = n_left;
		51	memset(buf, 0, n);
		52	}
		53	buf += blocksize - skipfirst;
		54	--
		55	2.17.1
		56


diff --git a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch new file mode 100644 index 0000000000..a19545a2d3 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
@@ -0,0 +1,43 @@
		1	From e8e602f4a4b2aacfb3da32bb8a838be15ea70e7b Mon Sep 17 00:00:00 2001
		2	From: "liucheng (G)" <liucheng32@huawei.com>
		3	Date: Thu, 29 Aug 2019 13:47:33 +0000
		4	Subject: [PATCH 5/9] CVE: net: fix unbounded memcpy of UDP packet
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	This patch adds a check to udp_len to fix unbounded memcpy for
		10	CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
		11
		12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
		13	Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
		14	Reported-by: Fermín Serna <fermin@semmle.com>
		15	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
		16
		17	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		18	h=fe7288069d2e6659117049f7d27e261b550bb725]
		19
		20	CVE: CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199
		21
		22	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		23	---
		24	net/net.c \| 3 +++
		25	1 file changed, 3 insertions(+)
		26
		27	diff --git a/net/net.c b/net/net.c
		28	index 58b0417cbe..38105f1142 100644
		29	--- a/net/net.c
		30	+++ b/net/net.c
		31	@@ -1252,6 +1252,9 @@ void net_process_received_packet(uchar *in_packet, int len)
		32	return;
		33	}
		34
		35	+ if (ntohs(ip->udp_len) < UDP_HDR_SIZE \|\| ntohs(ip->udp_len) > ntohs(ip->ip_len))
		36	+ return;
		37	+
		38	debug_cond(DEBUG_DEV_PKT,
		39	"received UDP (to=%pI4, from=%pI4, len=%d)\n",
		40	&dst_ip, &src_ip, len);
		41	--
		42	2.17.1
		43


diff --git a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch new file mode 100644 index 0000000000..04a09e46df --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
@@ -0,0 +1,44 @@
		1	From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001
		2	From: "liucheng (G)" <liucheng32@huawei.com>
		3	Date: Thu, 29 Aug 2019 13:47:40 +0000
		4	Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some
		5	nfs_handler reply helper functions
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
		11	CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
		12
		13	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
		14	Reported-by: Fermín Serna <fermin@semmle.com>
		15	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
		16
		17	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		18	h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21]
		19
		20	CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202,
		21	CVE-2019-14203 and CVE-2019-14204
		22
		23	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		24	---
		25	net/nfs.c \| 3 +++
		26	1 file changed, 3 insertions(+)
		27
		28	diff --git a/net/nfs.c b/net/nfs.c
		29	index d6a7f8e827..b7cf3b3a18 100644
		30	--- a/net/nfs.c
		31	+++ b/net/nfs.c
		32	@@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip,
		33
		34	debug("%s\n", __func__);
		35
		36	+ if (len > sizeof(struct rpc_t))
		37	+ return;
		38	+
		39	if (dest != nfs_our_port)
		40	return;
		41
		42	--
		43	2.17.1
		44


diff --git a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch new file mode 100644 index 0000000000..b3e3b72ebf --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
@@ -0,0 +1,42 @@
		1	From fb6dc193bf2685b7574b218f7ca558aa54659e11 Mon Sep 17 00:00:00 2001
		2	From: "liucheng (G)" <liucheng32@huawei.com>
		3	Date: Thu, 29 Aug 2019 13:47:48 +0000
		4	Subject: [PATCH 7/9] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy
		5	with a failed length check at nfs_read_reply
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
		11
		12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
		13	Reported-by: Fermín Serna <fermin@semmle.com>
		14	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
		15
		16	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		17	h=aa207cf3a6d68f39d64cd29057a4fb63943e9078]
		18
		19	CVE: CVE-2019-14194 and CVE-2019-14198
		20
		21	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		22	---
		23	net/nfs.c \| 3 +++
		24	1 file changed, 3 insertions(+)
		25
		26	diff --git a/net/nfs.c b/net/nfs.c
		27	index b7cf3b3a18..11941fad1a 100644
		28	--- a/net/nfs.c
		29	+++ b/net/nfs.c
		30	@@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len)
		31	&(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
		32	}
		33
		34	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + rlen) > len)
		35	+ return -9999;
		36	+
		37	if (store_block(data_ptr, nfs_offset, rlen))
		38	return -9999;
		39
		40	--
		41	2.17.1
		42


diff --git a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch new file mode 100644 index 0000000000..bf9fb0ef52 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
@@ -0,0 +1,42 @@
		1	From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001
		2	From: "liucheng (G)" <liucheng32@huawei.com>
		3	Date: Thu, 29 Aug 2019 13:47:54 +0000
		4	Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with
		5	unvalidated length at nfs_readlink_reply
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
		11
		12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
		13	Reported-by: Fermín Serna <fermin@semmle.com>
		14	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
		15
		16	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		17	h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230]
		18
		19	CVE: CVE-2019-14195
		20
		21	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		22	---
		23	net/nfs.c \| 3 +++
		24	1 file changed, 3 insertions(+)
		25
		26	diff --git a/net/nfs.c b/net/nfs.c
		27	index 11941fad1a..915acd95cf 100644
		28	--- a/net/nfs.c
		29	+++ b/net/nfs.c
		30	@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
		31	/* new path length */
		32	rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
		33
		34	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + rlen) > len)
		35	+ return -NFS_RPC_DROP;
		36	+
		37	if (((char )&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
		38	int pathlen;
		39
		40	--
		41	2.17.1
		42


diff --git a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch new file mode 100644 index 0000000000..f06e025297 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
@@ -0,0 +1,48 @@
		1	From 74c468caa95c86cdb12c4b8073e154c435ac0bf7 Mon Sep 17 00:00:00 2001
		2	From: "liucheng (G)" <liucheng32@huawei.com>
		3	Date: Thu, 29 Aug 2019 13:48:02 +0000
		4	Subject: [PATCH 9/9] CVE-2019-14196: nfs: fix unbounded memcpy with a failed
		5	length check at nfs_lookup_reply
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
		11
		12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
		13	Reported-by: Fermín Serna <fermin@semmle.com>
		14	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
		15
		16	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
		17	h=5d14ee4e53a81055d34ba280cb8fd90330f22a96]
		18
		19	CVE: CVE-2019-14196
		20
		21	Signed-off-by: Meng Li <Meng.Li@windriver.com>
		22	---
		23	net/nfs.c \| 4 ++++
		24	1 file changed, 4 insertions(+)
		25
		26	diff --git a/net/nfs.c b/net/nfs.c
		27	index 915acd95cf..89952aeb66 100644
		28	--- a/net/nfs.c
		29	+++ b/net/nfs.c
		30	@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
		31	}
		32
		33	if (supported_nfs_versions & NFSV2_FLAG) {
		34	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + NFS_FHSIZE) > len)
		35	+ return -NFS_RPC_DROP;
		36	memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
		37	} else { /* NFSV3_FLAG */
		38	filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
		39	if (filefh3_length > NFS3_FHSIZE)
		40	filefh3_length = NFS3_FHSIZE;
		41	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + filefh3_length) > len)
		42	+ return -NFS_RPC_DROP;
		43	memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
		44	}
		45
		46	--
		47	2.17.1
		48


diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index a056eae8ce..f63dfa3b73 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,6 +14,16 @@ PE = "1"
14	# repo during parse	14	# repo during parse
15	SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004"	15	SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004"
16		16
17	SRC_URI = "git://git.denx.de/u-boot.git"	17	SRC_URI = "git://git.denx.de/u-boot.git \
		18	file://0001-CVE-2019-13103.patch \
		19	file://0002-CVE-2019-13104.patch \
		20	file://0003-CVE-2019-13105.patch \
		21	file://0004-CVE-2019-13106.patch \
		22	file://0005-CVE-2019-14192-14193-14199.patch \
		23	file://0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch \
		24	file://0007-CVE-2019-14194-14198.patch \
		25	file://0008-CVE-2019-14195.patch \
		26	file://0009-CVE-2019-14196.patch \
		27	"
18		28
19	S = "${WORKDIR}/git"	29	S = "${WORKDIR}/git"