u-boot: Bump from 2019.07 to 2019.10

(From OE-Core rev: 460f877adbfaf2ae980228c9d545886f82656c38) Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alistair Francis <alistair.francis@wdc.com> 2019-10-14 17:43:16 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-19 23:18:33 +0100
commit: fdc1ccbb969b2fe80f0b32dce818ee237451c816 (patch)
tree: 989db9c9eb3ee5920bbb0da4757cca17a8beb101 /meta/recipes-bsp
parent: 65cc5c2455af0699159dcb4e8564ea6fde5417d9 (diff)
download: poky-fdc1ccbb969b2fe80f0b32dce818ee237451c816.tar.gz
14 files changed, 35 insertions, 441 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
deleted file mode 100644
index 1a5d1eb996..0000000000
--- a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 39a759494f734c4cdc3e2b919671bfb3134b41ae Mon Sep 17 00:00:00 2001
-From: Paul Emge <paulemge@forallsecure.com>
-Date: Mon, 8 Jul 2019 16:37:03 -0700
-Subject: [PATCH 1/9] CVE-2019-13103: disk: stop infinite recursion in DOS
- Partitions
-part_get_info_extended and print_partition_extended can recurse infinitely
-while parsing a self-referential filesystem or one with a silly number of
-extended partitions. This patch adds a limit to the number of recursive
-partitions.
-Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=232e2f4fd9a24bf08215ddc8c53ccadffc841fb5]
-CVE: CVE-2019-13103
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- disk/part_dos.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-diff --git a/disk/part_dos.c b/disk/part_dos.c
-index 936cee0d36..aae9d95906 100644
--- a/disk/part_dos.c
-+++ b/disk/part_dos.c
-@@ -23,6 +23,10 @@
- 
- #define DOS_PART_DEFAULT_SECTOR 512
- 
-+/* should this be configurable? It looks like it's not very common at all
-+ * to use large numbers of partitions */
-+#define MAX_EXT_PARTS 256
-+
- /* Convert char[4] in little endian format to the host format integer
-  */
- static inline unsigned int le32_to_int(unsigned char *le32)
-@@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc,
-        dos_partition_t *pt;
-        int i;
- 
-+       /* set a maximum recursion level */
-+       if (part_num > MAX_EXT_PARTS)
-+       {
-+               printf("** Nested DOS partitions detected, stopping **\n");
-+               return;
-+    }
-+
-        if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
-                printf ("** Can't read partition table on %d:" LBAFU " **\n",
-                        dev_desc->devnum, ext_part_sector);
-@@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc,
-        int i;
-        int dos_type;
- 
-+       /* set a maximum recursion level */
-+       if (part_num > MAX_EXT_PARTS)
-+       {
-+               printf("** Nested DOS partitions detected, stopping **\n");
-+               return -1;
-+    }
-+
-        if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
-                printf ("** Can't read partition table on %d:" LBAFU " **\n",
-                        dev_desc->devnum, ext_part_sector);
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0001-include-env.h-Ensure-ulong-is-defined.patch b/meta/recipes-bsp/u-boot/files/0001-include-env.h-Ensure-ulong-is-defined.patch
new file mode 100644
index 0000000000..b9118164df
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-include-env.h-Ensure-ulong-is-defined.patch
@@ -0,0 +1,31 @@
+From 0565a080d153d5baaaacfeb5045a832e126f4f9e Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Mon, 14 Oct 2019 17:37:30 -0700
+Subject: [PATCH] include/env.h: Ensure ulong is defined
+To fix these failures when building with musl:
+   include/env.h:166:1: error: unknown type name 'ulong'; did you mean 'long'?
+ensure that ulong is defined.
+Upstream-Status: Pending
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ include/env.h | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/include/env.h b/include/env.h
+index b72239f6a5..5ca49a3456 100644
+--- a/include/env.h
+++ b/include/env.h
+@@ -13,6 +13,8 @@
+ #include <stdbool.h>
+ #include <linux/types.h>
+ 
+typedef unsigned long           ulong;
+
+ struct environment_s;
+ 
+ /* Value for environment validity */
+-- 
+2.23.0
diff --git a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
deleted file mode 100644
index de122b27d0..0000000000
--- a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001
-From: Paul Emge <paulemge@forallsecure.com>
-Date: Mon, 8 Jul 2019 16:37:05 -0700
-Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in
- ext4fs_read_file
-in ext4fs_read_file, it is possible for a broken/malicious file
-system to cause a memcpy of a negative number of bytes, which
-overflows all memory. This patch fixes the issue by checking for
-a negative length.
-Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=878269dbe74229005dd7f27aca66c554e31dad8e]
-CVE: CVE-2019-13104
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- fs/ext4/ext4fs.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
-index 26db677a1f..c8c8655ed8 100644
--- a/fs/ext4/ext4fs.c
-+++ b/fs/ext4/ext4fs.c
-@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
- 
-        ext_cache_init(&cache);
- 
-       if (blocksize <= 0)
-               return -1;
-
-        /* Adjust len so it we can't read past the end of the file. */
-        if (len + pos > filesize)
-                len = (filesize - pos);
- 
-+       if (blocksize <= 0 || len <= 0) {
-+               ext_cache_fini(&cache);
-+               return -1;
-+       }
-+
-        blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
- 
-        for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
deleted file mode 100644
index f525147e57..0000000000
--- a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 4e937d0de669ee69cf41c20494cbf66c339c3174 Mon Sep 17 00:00:00 2001
-From: Paul Emge <paulemge@forallsecure.com>
-Date: Mon, 8 Jul 2019 16:37:04 -0700
-Subject: [PATCH 3/9] CVE-2019-13105: ext4: fix double-free in ext4_cache_read
-ext_cache_read doesn't null cache->buf, after freeing, which results
-in a later function double-freeing it. This patch fixes
-ext_cache_read to call ext_cache_fini instead of free.
-Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=6e5a79de658cb1c8012c86e0837379aa6eabd024]
-CVE: CVE-2019-13105
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- fs/ext4/ext4fs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
-index c8c8655ed8..e2b740cac4 100644
--- a/fs/ext4/ext4fs.c
-+++ b/fs/ext4/ext4fs.c
-@@ -288,7 +288,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size)
-        if (!cache->buf)
-                return 0;
-        if (!ext4fs_devread(block, 0, size, cache->buf)) {
-               free(cache->buf);
-+               ext_cache_fini(cache);
-                return 0;
-        }
-        cache->block = block;
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
deleted file mode 100644
index 8e1a1a9943..0000000000
--- a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
-From: Paul Emge <paulemge@forallsecure.com>
-Date: Mon, 8 Jul 2019 16:37:07 -0700
-Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
-In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
-the destination memory region. This patch adds a check to disallow
-this.
-Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=e205896c5383c938274262524adceb2775fb03ba]
-CVE: CVE-2019-13106
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- fs/ext4/ext4fs.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
-index e2b740cac4..37b31d9f0f 100644
--- a/fs/ext4/ext4fs.c
-+++ b/fs/ext4/ext4fs.c
-@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
-        lbaint_t delayed_skipfirst = 0;
-        lbaint_t delayed_next = 0;
-        char *delayed_buf = NULL;
-+       char *start_buf = buf;
-        short status;
-        struct ext_block_cache cache;
- 
-@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
-                        }
-                } else {
-                        int n;
-+                       int n_left;
-                        if (previous_block_number != -1) {
-                                /* spill */
-                                status = ext4fs_devread(delayed_start,
-@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
-                        }
-                        /* Zero no more than `len' bytes. */
-                        n = blocksize - skipfirst;
-                       if (n > len)
-                               n = len;
-+                       n_left = len - ( buf - start_buf );
-+                       if (n > n_left)
-+                               n = n_left;
-                        memset(buf, 0, n);
-                }
-                buf += blocksize - skipfirst;
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
deleted file mode 100644
index a19545a2d3..0000000000
--- a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From e8e602f4a4b2aacfb3da32bb8a838be15ea70e7b Mon Sep 17 00:00:00 2001
-From: "liucheng (G)" <liucheng32@huawei.com>
-Date: Thu, 29 Aug 2019 13:47:33 +0000
-Subject: [PATCH 5/9] CVE: net: fix unbounded memcpy of UDP packet
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-This patch adds a check to udp_len to fix unbounded memcpy for
-CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
-Signed-off-by: Cheng Liu <liucheng32@huawei.com>
-Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
-Reported-by: Fermín Serna <fermin@semmle.com>
-Acked-by: Joe Hershberger <joe.hershberger@ni.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=fe7288069d2e6659117049f7d27e261b550bb725]
-CVE: CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- net/net.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/net/net.c b/net/net.c
-index 58b0417cbe..38105f1142 100644
--- a/net/net.c
-+++ b/net/net.c
-@@ -1252,6 +1252,9 @@ void net_process_received_packet(uchar *in_packet, int len)
-                        return;
-                }
- 
-+               if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
-+                       return;
-+
-                debug_cond(DEBUG_DEV_PKT,
-                           "received UDP (to=%pI4, from=%pI4, len=%d)\n",
-                           &dst_ip, &src_ip, len);
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
deleted file mode 100644
index 04a09e46df..0000000000
--- a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001
-From: "liucheng (G)" <liucheng32@huawei.com>
-Date: Thu, 29 Aug 2019 13:47:40 +0000
-Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some
- nfs_handler reply helper functions
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
-CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
-Signed-off-by: Cheng Liu <liucheng32@huawei.com>
-Reported-by: Fermín Serna <fermin@semmle.com>
-Acked-by: Joe Hershberger <joe.hershberger@ni.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21]
-CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202,
-     CVE-2019-14203 and CVE-2019-14204
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- net/nfs.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/net/nfs.c b/net/nfs.c
-index d6a7f8e827..b7cf3b3a18 100644
--- a/net/nfs.c
-+++ b/net/nfs.c
-@@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip,
- 
-        debug("%s\n", __func__);
- 
-+       if (len > sizeof(struct rpc_t))
-+               return;
-+
-        if (dest != nfs_our_port)
-                return;
- 
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
deleted file mode 100644
index b3e3b72ebf..0000000000
--- a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From fb6dc193bf2685b7574b218f7ca558aa54659e11 Mon Sep 17 00:00:00 2001
-From: "liucheng (G)" <liucheng32@huawei.com>
-Date: Thu, 29 Aug 2019 13:47:48 +0000
-Subject: [PATCH 7/9] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy
- with a failed length check at nfs_read_reply
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
-Signed-off-by: Cheng Liu <liucheng32@huawei.com>
-Reported-by: Fermín Serna <fermin@semmle.com>
-Acked-by: Joe Hershberger <joe.hershberger@ni.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=aa207cf3a6d68f39d64cd29057a4fb63943e9078]
-CVE: CVE-2019-14194 and CVE-2019-14198
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- net/nfs.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/net/nfs.c b/net/nfs.c
-index b7cf3b3a18..11941fad1a 100644
--- a/net/nfs.c
-+++ b/net/nfs.c
-@@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len)
-                        &(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
-        }
- 
-+       if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
-+                       return -9999;
-+
-        if (store_block(data_ptr, nfs_offset, rlen))
-                        return -9999;
- 
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
deleted file mode 100644
index bf9fb0ef52..0000000000
--- a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001
-From: "liucheng (G)" <liucheng32@huawei.com>
-Date: Thu, 29 Aug 2019 13:47:54 +0000
-Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with
- unvalidated length at nfs_readlink_reply
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
-Signed-off-by: Cheng Liu <liucheng32@huawei.com>
-Reported-by: Fermín Serna <fermin@semmle.com>
-Acked-by: Joe Hershberger <joe.hershberger@ni.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230]
-CVE: CVE-2019-14195
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- net/nfs.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/net/nfs.c b/net/nfs.c
-index 11941fad1a..915acd95cf 100644
--- a/net/nfs.c
-+++ b/net/nfs.c
-@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
-        /* new path length */
-        rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
- 
-+       if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
-+               return -NFS_RPC_DROP;
-+
-        if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
-                int pathlen;
- 
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
deleted file mode 100644
index f06e025297..0000000000
--- a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 74c468caa95c86cdb12c4b8073e154c435ac0bf7 Mon Sep 17 00:00:00 2001
-From: "liucheng (G)" <liucheng32@huawei.com>
-Date: Thu, 29 Aug 2019 13:48:02 +0000
-Subject: [PATCH 9/9] CVE-2019-14196: nfs: fix unbounded memcpy with a failed
- length check at nfs_lookup_reply
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
-Signed-off-by: Cheng Liu <liucheng32@huawei.com>
-Reported-by: Fermín Serna <fermin@semmle.com>
-Acked-by: Joe Hershberger <joe.hershberger@ni.com>
-Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
-                 h=5d14ee4e53a81055d34ba280cb8fd90330f22a96]
-CVE: CVE-2019-14196
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
- net/nfs.c | 4 ++++
- 1 file changed, 4 insertions(+)
-diff --git a/net/nfs.c b/net/nfs.c
-index 915acd95cf..89952aeb66 100644
--- a/net/nfs.c
-+++ b/net/nfs.c
-@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
-        }
- 
-        if (supported_nfs_versions & NFSV2_FLAG) {
-+               if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len)
-+                       return -NFS_RPC_DROP;
-                memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
-        } else {  /* NFSV3_FLAG */
-                filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
-                if (filefh3_length > NFS3_FHSIZE)
-                        filefh3_length  = NFS3_FHSIZE;
-+               if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
-+                       return -NFS_RPC_DROP;
-                memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
-        }
- 
-- 
-2.17.1
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index f63dfa3b73..c3e458e925 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -12,18 +12,9 @@ PE = "1"
 # We use the revision in order to avoid having to fetch it from the
 # repo during parse
-SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004"
+SRCREV = "61ba1244b548463dbfb3c5285b6b22e7c772c5bd"
 SRC_URI = "git://git.denx.de/u-boot.git \
-           file://0001-CVE-2019-13103.patch \
+          "
-           file://0002-CVE-2019-13104.patch \
-           file://0003-CVE-2019-13105.patch \
-           file://0004-CVE-2019-13106.patch \
-           file://0005-CVE-2019-14192-14193-14199.patch \
-           file://0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch \
-           file://0007-CVE-2019-14194-14198.patch \
-           file://0008-CVE-2019-14195.patch \
-           file://0009-CVE-2019-14196.patch \
-"
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.10.bb
index b5ce56847b..04321b7b66 100644
--- a/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.07.bb
+++ b/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.10.bb
@@ -3,6 +3,8 @@ require u-boot-common.inc
 SUMMARY = "U-Boot bootloader fw_printenv/setenv utilities"
 DEPENDS += "mtd-utils"
+SRC_URI += "file://0001-include-env.h-Ensure-ulong-is-defined.patch"
 INSANE_SKIP_${PN} = "already-stripped"
 EXTRA_OEMAKE_class-target = 'CROSS_COMPILE=${TARGET_PREFIX} CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" V=1'
 EXTRA_OEMAKE_class-cross = 'HOSTCC="${CC} ${CFLAGS} ${LDFLAGS}" V=1'
diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2019.10.bb
index bede984ef7..bede984ef7 100644
--- a/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb
+++ b/meta/recipes-bsp/u-boot/u-boot-tools_2019.10.bb
diff --git a/meta/recipes-bsp/u-boot/u-boot_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot_2019.10.bb
index 02d67c0db2..02d67c0db2 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2019.07.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2019.10.bb
author	Alistair Francis <alistair.francis@wdc.com>	2019-10-14 17:43:16 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-19 23:18:33 +0100
commit	fdc1ccbb969b2fe80f0b32dce818ee237451c816 (patch)
tree	989db9c9eb3ee5920bbb0da4757cca17a8beb101 /meta/recipes-bsp
parent	65cc5c2455af0699159dcb4e8564ea6fde5417d9 (diff)
download	poky-fdc1ccbb969b2fe80f0b32dce818ee237451c816.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch deleted file mode 100644 index 1a5d1eb996..0000000000 --- a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch +++ /dev/null
@@ -1,69 +0,0 @@
1	From 39a759494f734c4cdc3e2b919671bfb3134b41ae Mon Sep 17 00:00:00 2001
2	From: Paul Emge <paulemge@forallsecure.com>
3	Date: Mon, 8 Jul 2019 16:37:03 -0700
4	Subject: [PATCH 1/9] CVE-2019-13103: disk: stop infinite recursion in DOS
5	Partitions
6
7	part_get_info_extended and print_partition_extended can recurse infinitely
8	while parsing a self-referential filesystem or one with a silly number of
9	extended partitions. This patch adds a limit to the number of recursive
10	partitions.
11
12	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
13
14	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
15	h=232e2f4fd9a24bf08215ddc8c53ccadffc841fb5]
16
17	CVE: CVE-2019-13103
18
19	Signed-off-by: Meng Li <Meng.Li@windriver.com>
20	---
21	disk/part_dos.c \| 18 ++++++++++++++++++
22	1 file changed, 18 insertions(+)
23
24	diff --git a/disk/part_dos.c b/disk/part_dos.c
25	index 936cee0d36..aae9d95906 100644
26	--- a/disk/part_dos.c
27	+++ b/disk/part_dos.c
28	@@ -23,6 +23,10 @@
29
30	#define DOS_PART_DEFAULT_SECTOR 512
31
32	+/* should this be configurable? It looks like it's not very common at all
33	+ * to use large numbers of partitions */
34	+#define MAX_EXT_PARTS 256
35	+
36	/* Convert char[4] in little endian format to the host format integer
37	*/
38	static inline unsigned int le32_to_int(unsigned char *le32)
39	@@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc,
40	dos_partition_t *pt;
41	int i;
42
43	+ /* set a maximum recursion level */
44	+ if (part_num > MAX_EXT_PARTS)
45	+ {
46	+ printf(" Nested DOS partitions detected, stopping \n");
47	+ return;
48	+ }
49	+
50	if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
51	printf (" Can't read partition table on %d:" LBAFU " \n",
52	dev_desc->devnum, ext_part_sector);
53	@@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc,
54	int i;
55	int dos_type;
56
57	+ /* set a maximum recursion level */
58	+ if (part_num > MAX_EXT_PARTS)
59	+ {
60	+ printf(" Nested DOS partitions detected, stopping \n");
61	+ return -1;
62	+ }
63	+
64	if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
65	printf (" Can't read partition table on %d:" LBAFU " \n",
66	dev_desc->devnum, ext_part_sector);
67	--
68	2.17.1
69


diff --git a/meta/recipes-bsp/u-boot/files/0001-include-env.h-Ensure-ulong-is-defined.patch b/meta/recipes-bsp/u-boot/files/0001-include-env.h-Ensure-ulong-is-defined.patch new file mode 100644 index 0000000000..b9118164df --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-include-env.h-Ensure-ulong-is-defined.patch
@@ -0,0 +1,31 @@
		1	From 0565a080d153d5baaaacfeb5045a832e126f4f9e Mon Sep 17 00:00:00 2001
		2	From: Alistair Francis <alistair.francis@wdc.com>
		3	Date: Mon, 14 Oct 2019 17:37:30 -0700
		4	Subject: [PATCH] include/env.h: Ensure ulong is defined
		5
		6	To fix these failures when building with musl:
		7	include/env.h:166:1: error: unknown type name 'ulong'; did you mean 'long'?
		8	ensure that ulong is defined.
		9
		10	Upstream-Status: Pending
		11	Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
		12	---
		13	include/env.h \| 2 ++
		14	1 file changed, 2 insertions(+)
		15
		16	diff --git a/include/env.h b/include/env.h
		17	index b72239f6a5..5ca49a3456 100644
		18	--- a/include/env.h
		19	+++ b/include/env.h
		20	@@ -13,6 +13,8 @@
		21	#include <stdbool.h>
		22	#include <linux/types.h>
		23
		24	+typedef unsigned long ulong;
		25	+
		26	struct environment_s;
		27
		28	/* Value for environment validity */
		29	--
		30	2.23.0
		31


diff --git a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch deleted file mode 100644 index de122b27d0..0000000000 --- a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch +++ /dev/null
@@ -1,49 +0,0 @@
1	From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001
2	From: Paul Emge <paulemge@forallsecure.com>
3	Date: Mon, 8 Jul 2019 16:37:05 -0700
4	Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in
5	ext4fs_read_file
6
7	in ext4fs_read_file, it is possible for a broken/malicious file
8	system to cause a memcpy of a negative number of bytes, which
9	overflows all memory. This patch fixes the issue by checking for
10	a negative length.
11
12	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
13
14	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
15	h=878269dbe74229005dd7f27aca66c554e31dad8e]
16
17	CVE: CVE-2019-13104
18
19	Signed-off-by: Meng Li <Meng.Li@windriver.com>
20	---
21	fs/ext4/ext4fs.c \| 8 +++++---
22	1 file changed, 5 insertions(+), 3 deletions(-)
23
24	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
25	index 26db677a1f..c8c8655ed8 100644
26	--- a/fs/ext4/ext4fs.c
27	+++ b/fs/ext4/ext4fs.c
28	@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
29
30	ext_cache_init(&cache);
31
32	- if (blocksize <= 0)
33	- return -1;
34	-
35	/* Adjust len so it we can't read past the end of the file. */
36	if (len + pos > filesize)
37	len = (filesize - pos);
38
39	+ if (blocksize <= 0 \|\| len <= 0) {
40	+ ext_cache_fini(&cache);
41	+ return -1;
42	+ }
43	+
44	blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
45
46	for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
47	--
48	2.17.1
49


diff --git a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch deleted file mode 100644 index f525147e57..0000000000 --- a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch +++ /dev/null
@@ -1,37 +0,0 @@
1	From 4e937d0de669ee69cf41c20494cbf66c339c3174 Mon Sep 17 00:00:00 2001
2	From: Paul Emge <paulemge@forallsecure.com>
3	Date: Mon, 8 Jul 2019 16:37:04 -0700
4	Subject: [PATCH 3/9] CVE-2019-13105: ext4: fix double-free in ext4_cache_read
5
6	ext_cache_read doesn't null cache->buf, after freeing, which results
7	in a later function double-freeing it. This patch fixes
8	ext_cache_read to call ext_cache_fini instead of free.
9
10	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
11
12	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
13	h=6e5a79de658cb1c8012c86e0837379aa6eabd024]
14
15	CVE: CVE-2019-13105
16
17	Signed-off-by: Meng Li <Meng.Li@windriver.com>
18	---
19	fs/ext4/ext4fs.c \| 2 +-
20	1 file changed, 1 insertion(+), 1 deletion(-)
21
22	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
23	index c8c8655ed8..e2b740cac4 100644
24	--- a/fs/ext4/ext4fs.c
25	+++ b/fs/ext4/ext4fs.c
26	@@ -288,7 +288,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size)
27	if (!cache->buf)
28	return 0;
29	if (!ext4fs_devread(block, 0, size, cache->buf)) {
30	- free(cache->buf);
31	+ ext_cache_fini(cache);
32	return 0;
33	}
34	cache->block = block;
35	--
36	2.17.1
37


diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch deleted file mode 100644 index 8e1a1a9943..0000000000 --- a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch +++ /dev/null
@@ -1,56 +0,0 @@
1	From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
2	From: Paul Emge <paulemge@forallsecure.com>
3	Date: Mon, 8 Jul 2019 16:37:07 -0700
4	Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
5
6	In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
7	the destination memory region. This patch adds a check to disallow
8	this.
9
10	Signed-off-by: Paul Emge <paulemge@forallsecure.com>
11
12	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
13	h=e205896c5383c938274262524adceb2775fb03ba]
14
15	CVE: CVE-2019-13106
16
17	Signed-off-by: Meng Li <Meng.Li@windriver.com>
18	---
19	fs/ext4/ext4fs.c \| 7 +++++--
20	1 file changed, 5 insertions(+), 2 deletions(-)
21
22	diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
23	index e2b740cac4..37b31d9f0f 100644
24	--- a/fs/ext4/ext4fs.c
25	+++ b/fs/ext4/ext4fs.c
26	@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
27	lbaint_t delayed_skipfirst = 0;
28	lbaint_t delayed_next = 0;
29	char *delayed_buf = NULL;
30	+ char *start_buf = buf;
31	short status;
32	struct ext_block_cache cache;
33
34	@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
35	}
36	} else {
37	int n;
38	+ int n_left;
39	if (previous_block_number != -1) {
40	/* spill */
41	status = ext4fs_devread(delayed_start,
42	@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
43	}
44	/* Zero no more than `len' bytes. */
45	n = blocksize - skipfirst;
46	- if (n > len)
47	- n = len;
48	+ n_left = len - ( buf - start_buf );
49	+ if (n > n_left)
50	+ n = n_left;
51	memset(buf, 0, n);
52	}
53	buf += blocksize - skipfirst;
54	--
55	2.17.1
56


diff --git a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch deleted file mode 100644 index a19545a2d3..0000000000 --- a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch +++ /dev/null
@@ -1,43 +0,0 @@
1	From e8e602f4a4b2aacfb3da32bb8a838be15ea70e7b Mon Sep 17 00:00:00 2001
2	From: "liucheng (G)" <liucheng32@huawei.com>
3	Date: Thu, 29 Aug 2019 13:47:33 +0000
4	Subject: [PATCH 5/9] CVE: net: fix unbounded memcpy of UDP packet
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	This patch adds a check to udp_len to fix unbounded memcpy for
10	CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
11
12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
13	Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
14	Reported-by: Fermín Serna <fermin@semmle.com>
15	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
16
17	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
18	h=fe7288069d2e6659117049f7d27e261b550bb725]
19
20	CVE: CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199
21
22	Signed-off-by: Meng Li <Meng.Li@windriver.com>
23	---
24	net/net.c \| 3 +++
25	1 file changed, 3 insertions(+)
26
27	diff --git a/net/net.c b/net/net.c
28	index 58b0417cbe..38105f1142 100644
29	--- a/net/net.c
30	+++ b/net/net.c
31	@@ -1252,6 +1252,9 @@ void net_process_received_packet(uchar *in_packet, int len)
32	return;
33	}
34
35	+ if (ntohs(ip->udp_len) < UDP_HDR_SIZE \|\| ntohs(ip->udp_len) > ntohs(ip->ip_len))
36	+ return;
37	+
38	debug_cond(DEBUG_DEV_PKT,
39	"received UDP (to=%pI4, from=%pI4, len=%d)\n",
40	&dst_ip, &src_ip, len);
41	--
42	2.17.1
43


diff --git a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch deleted file mode 100644 index 04a09e46df..0000000000 --- a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch +++ /dev/null
@@ -1,44 +0,0 @@
1	From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001
2	From: "liucheng (G)" <liucheng32@huawei.com>
3	Date: Thu, 29 Aug 2019 13:47:40 +0000
4	Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some
5	nfs_handler reply helper functions
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
11	CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
12
13	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
14	Reported-by: Fermín Serna <fermin@semmle.com>
15	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
16
17	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
18	h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21]
19
20	CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202,
21	CVE-2019-14203 and CVE-2019-14204
22
23	Signed-off-by: Meng Li <Meng.Li@windriver.com>
24	---
25	net/nfs.c \| 3 +++
26	1 file changed, 3 insertions(+)
27
28	diff --git a/net/nfs.c b/net/nfs.c
29	index d6a7f8e827..b7cf3b3a18 100644
30	--- a/net/nfs.c
31	+++ b/net/nfs.c
32	@@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip,
33
34	debug("%s\n", __func__);
35
36	+ if (len > sizeof(struct rpc_t))
37	+ return;
38	+
39	if (dest != nfs_our_port)
40	return;
41
42	--
43	2.17.1
44


diff --git a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch deleted file mode 100644 index b3e3b72ebf..0000000000 --- a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch +++ /dev/null
@@ -1,42 +0,0 @@
1	From fb6dc193bf2685b7574b218f7ca558aa54659e11 Mon Sep 17 00:00:00 2001
2	From: "liucheng (G)" <liucheng32@huawei.com>
3	Date: Thu, 29 Aug 2019 13:47:48 +0000
4	Subject: [PATCH 7/9] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy
5	with a failed length check at nfs_read_reply
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
11
12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
13	Reported-by: Fermín Serna <fermin@semmle.com>
14	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
15
16	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
17	h=aa207cf3a6d68f39d64cd29057a4fb63943e9078]
18
19	CVE: CVE-2019-14194 and CVE-2019-14198
20
21	Signed-off-by: Meng Li <Meng.Li@windriver.com>
22	---
23	net/nfs.c \| 3 +++
24	1 file changed, 3 insertions(+)
25
26	diff --git a/net/nfs.c b/net/nfs.c
27	index b7cf3b3a18..11941fad1a 100644
28	--- a/net/nfs.c
29	+++ b/net/nfs.c
30	@@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len)
31	&(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
32	}
33
34	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + rlen) > len)
35	+ return -9999;
36	+
37	if (store_block(data_ptr, nfs_offset, rlen))
38	return -9999;
39
40	--
41	2.17.1
42


diff --git a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch deleted file mode 100644 index bf9fb0ef52..0000000000 --- a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch +++ /dev/null
@@ -1,42 +0,0 @@
1	From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001
2	From: "liucheng (G)" <liucheng32@huawei.com>
3	Date: Thu, 29 Aug 2019 13:47:54 +0000
4	Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with
5	unvalidated length at nfs_readlink_reply
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
11
12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
13	Reported-by: Fermín Serna <fermin@semmle.com>
14	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
15
16	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
17	h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230]
18
19	CVE: CVE-2019-14195
20
21	Signed-off-by: Meng Li <Meng.Li@windriver.com>
22	---
23	net/nfs.c \| 3 +++
24	1 file changed, 3 insertions(+)
25
26	diff --git a/net/nfs.c b/net/nfs.c
27	index 11941fad1a..915acd95cf 100644
28	--- a/net/nfs.c
29	+++ b/net/nfs.c
30	@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
31	/* new path length */
32	rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
33
34	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + rlen) > len)
35	+ return -NFS_RPC_DROP;
36	+
37	if (((char )&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
38	int pathlen;
39
40	--
41	2.17.1
42


diff --git a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch deleted file mode 100644 index f06e025297..0000000000 --- a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch +++ /dev/null
@@ -1,48 +0,0 @@
1	From 74c468caa95c86cdb12c4b8073e154c435ac0bf7 Mon Sep 17 00:00:00 2001
2	From: "liucheng (G)" <liucheng32@huawei.com>
3	Date: Thu, 29 Aug 2019 13:48:02 +0000
4	Subject: [PATCH 9/9] CVE-2019-14196: nfs: fix unbounded memcpy with a failed
5	length check at nfs_lookup_reply
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
11
12	Signed-off-by: Cheng Liu <liucheng32@huawei.com>
13	Reported-by: Fermín Serna <fermin@semmle.com>
14	Acked-by: Joe Hershberger <joe.hershberger@ni.com>
15
16	Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
17	h=5d14ee4e53a81055d34ba280cb8fd90330f22a96]
18
19	CVE: CVE-2019-14196
20
21	Signed-off-by: Meng Li <Meng.Li@windriver.com>
22	---
23	net/nfs.c \| 4 ++++
24	1 file changed, 4 insertions(+)
25
26	diff --git a/net/nfs.c b/net/nfs.c
27	index 915acd95cf..89952aeb66 100644
28	--- a/net/nfs.c
29	+++ b/net/nfs.c
30	@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
31	}
32
33	if (supported_nfs_versions & NFSV2_FLAG) {
34	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + NFS_FHSIZE) > len)
35	+ return -NFS_RPC_DROP;
36	memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
37	} else { /* NFSV3_FLAG */
38	filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
39	if (filefh3_length > NFS3_FHSIZE)
40	filefh3_length = NFS3_FHSIZE;
41	+ if (((uchar )&(rpc_pkt.u.reply.data[0]) - (uchar )(&rpc_pkt) + filefh3_length) > len)
42	+ return -NFS_RPC_DROP;
43	memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
44	}
45
46	--
47	2.17.1
48


diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index f63dfa3b73..c3e458e925 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -12,18 +12,9 @@ PE = "1"
12		12
13	# We use the revision in order to avoid having to fetch it from the	13	# We use the revision in order to avoid having to fetch it from the
14	# repo during parse	14	# repo during parse
15	SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004"	15	SRCREV = "61ba1244b548463dbfb3c5285b6b22e7c772c5bd"
16		16
17	SRC_URI = "git://git.denx.de/u-boot.git \	17	SRC_URI = "git://git.denx.de/u-boot.git \
18	file://0001-CVE-2019-13103.patch \	18	"
19	file://0002-CVE-2019-13104.patch \
20	file://0003-CVE-2019-13105.patch \
21	file://0004-CVE-2019-13106.patch \
22	file://0005-CVE-2019-14192-14193-14199.patch \
23	file://0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch \
24	file://0007-CVE-2019-14194-14198.patch \
25	file://0008-CVE-2019-14195.patch \
26	file://0009-CVE-2019-14196.patch \
27	"
28		19
29	S = "${WORKDIR}/git"	20	S = "${WORKDIR}/git"


diff --git a/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.10.bb index b5ce56847b..04321b7b66 100644 --- a/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.07.bb +++ b/meta/recipes-bsp/u-boot/u-boot-fw-utils_2019.10.bb
@@ -3,6 +3,8 @@ require u-boot-common.inc
3	SUMMARY = "U-Boot bootloader fw_printenv/setenv utilities"	3	SUMMARY = "U-Boot bootloader fw_printenv/setenv utilities"
4	DEPENDS += "mtd-utils"	4	DEPENDS += "mtd-utils"
5		5
		6	SRC_URI += "file://0001-include-env.h-Ensure-ulong-is-defined.patch"
		7
6	INSANE_SKIP_${PN} = "already-stripped"	8	INSANE_SKIP_${PN} = "already-stripped"
7	EXTRA_OEMAKE_class-target = 'CROSS_COMPILE=${TARGET_PREFIX} CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" V=1'	9	EXTRA_OEMAKE_class-target = 'CROSS_COMPILE=${TARGET_PREFIX} CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" V=1'
8	EXTRA_OEMAKE_class-cross = 'HOSTCC="${CC} ${CFLAGS} ${LDFLAGS}" V=1'	10	EXTRA_OEMAKE_class-cross = 'HOSTCC="${CC} ${CFLAGS} ${LDFLAGS}" V=1'


diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2019.10.bb index bede984ef7..bede984ef7 100644 --- a/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb +++ b/meta/recipes-bsp/u-boot/u-boot-tools_2019.10.bb


diff --git a/meta/recipes-bsp/u-boot/u-boot_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot_2019.10.bb index 02d67c0db2..02d67c0db2 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2019.07.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2019.10.bb