diff options
author | Limeng <Meng.Li@windriver.com> | 2019-09-26 09:46:07 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-09-27 13:02:16 +0100 |
commit | 205069a9e858c595989335af32319c4720242bfd (patch) | |
tree | cca193e0e3840bed02fe0c46818e5108f23f9f3d /meta | |
parent | 91b787334a84c2f0475eb4af5883b3837023aa61 (diff) | |
download | poky-205069a9e858c595989335af32319c4720242bfd.tar.gz |
u-boot: add CVE patches for u-boot
Add 9 patches to fix below CVE issues.
CVE-2019-13103
CVE-2019-13104
CVE-2019-13105
CVE-2019-13106
CVE-2019-14192
CVE-2019-14193
CVE-2019-14194
CVE-2019-14195
CVE-2019-14196
CVE-2019-14197
CVE-2019-14198
CVE-2019-14199
CVE-2019-14200
CVE-2019-14201
CVE-2019-14202
CVE-2019-14203
CVE-2019-14204
(From OE-Core rev: db22dbe158dcb2298bfd74ff6cbba31f67488035)
Signed-off-by: Meng Li <Meng.Li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
10 files changed, 441 insertions, 1 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch new file mode 100644 index 0000000000..1a5d1eb996 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 39a759494f734c4cdc3e2b919671bfb3134b41ae Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Emge <paulemge@forallsecure.com> | ||
3 | Date: Mon, 8 Jul 2019 16:37:03 -0700 | ||
4 | Subject: [PATCH 1/9] CVE-2019-13103: disk: stop infinite recursion in DOS | ||
5 | Partitions | ||
6 | |||
7 | part_get_info_extended and print_partition_extended can recurse infinitely | ||
8 | while parsing a self-referential filesystem or one with a silly number of | ||
9 | extended partitions. This patch adds a limit to the number of recursive | ||
10 | partitions. | ||
11 | |||
12 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> | ||
13 | |||
14 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
15 | h=232e2f4fd9a24bf08215ddc8c53ccadffc841fb5] | ||
16 | |||
17 | CVE: CVE-2019-13103 | ||
18 | |||
19 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
20 | --- | ||
21 | disk/part_dos.c | 18 ++++++++++++++++++ | ||
22 | 1 file changed, 18 insertions(+) | ||
23 | |||
24 | diff --git a/disk/part_dos.c b/disk/part_dos.c | ||
25 | index 936cee0d36..aae9d95906 100644 | ||
26 | --- a/disk/part_dos.c | ||
27 | +++ b/disk/part_dos.c | ||
28 | @@ -23,6 +23,10 @@ | ||
29 | |||
30 | #define DOS_PART_DEFAULT_SECTOR 512 | ||
31 | |||
32 | +/* should this be configurable? It looks like it's not very common at all | ||
33 | + * to use large numbers of partitions */ | ||
34 | +#define MAX_EXT_PARTS 256 | ||
35 | + | ||
36 | /* Convert char[4] in little endian format to the host format integer | ||
37 | */ | ||
38 | static inline unsigned int le32_to_int(unsigned char *le32) | ||
39 | @@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc, | ||
40 | dos_partition_t *pt; | ||
41 | int i; | ||
42 | |||
43 | + /* set a maximum recursion level */ | ||
44 | + if (part_num > MAX_EXT_PARTS) | ||
45 | + { | ||
46 | + printf("** Nested DOS partitions detected, stopping **\n"); | ||
47 | + return; | ||
48 | + } | ||
49 | + | ||
50 | if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) { | ||
51 | printf ("** Can't read partition table on %d:" LBAFU " **\n", | ||
52 | dev_desc->devnum, ext_part_sector); | ||
53 | @@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc, | ||
54 | int i; | ||
55 | int dos_type; | ||
56 | |||
57 | + /* set a maximum recursion level */ | ||
58 | + if (part_num > MAX_EXT_PARTS) | ||
59 | + { | ||
60 | + printf("** Nested DOS partitions detected, stopping **\n"); | ||
61 | + return -1; | ||
62 | + } | ||
63 | + | ||
64 | if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) { | ||
65 | printf ("** Can't read partition table on %d:" LBAFU " **\n", | ||
66 | dev_desc->devnum, ext_part_sector); | ||
67 | -- | ||
68 | 2.17.1 | ||
69 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch new file mode 100644 index 0000000000..de122b27d0 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Emge <paulemge@forallsecure.com> | ||
3 | Date: Mon, 8 Jul 2019 16:37:05 -0700 | ||
4 | Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in | ||
5 | ext4fs_read_file | ||
6 | |||
7 | in ext4fs_read_file, it is possible for a broken/malicious file | ||
8 | system to cause a memcpy of a negative number of bytes, which | ||
9 | overflows all memory. This patch fixes the issue by checking for | ||
10 | a negative length. | ||
11 | |||
12 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> | ||
13 | |||
14 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
15 | h=878269dbe74229005dd7f27aca66c554e31dad8e] | ||
16 | |||
17 | CVE: CVE-2019-13104 | ||
18 | |||
19 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
20 | --- | ||
21 | fs/ext4/ext4fs.c | 8 +++++--- | ||
22 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
23 | |||
24 | diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c | ||
25 | index 26db677a1f..c8c8655ed8 100644 | ||
26 | --- a/fs/ext4/ext4fs.c | ||
27 | +++ b/fs/ext4/ext4fs.c | ||
28 | @@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
29 | |||
30 | ext_cache_init(&cache); | ||
31 | |||
32 | - if (blocksize <= 0) | ||
33 | - return -1; | ||
34 | - | ||
35 | /* Adjust len so it we can't read past the end of the file. */ | ||
36 | if (len + pos > filesize) | ||
37 | len = (filesize - pos); | ||
38 | |||
39 | + if (blocksize <= 0 || len <= 0) { | ||
40 | + ext_cache_fini(&cache); | ||
41 | + return -1; | ||
42 | + } | ||
43 | + | ||
44 | blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize); | ||
45 | |||
46 | for (i = lldiv(pos, blocksize); i < blockcnt; i++) { | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch new file mode 100644 index 0000000000..f525147e57 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 4e937d0de669ee69cf41c20494cbf66c339c3174 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Emge <paulemge@forallsecure.com> | ||
3 | Date: Mon, 8 Jul 2019 16:37:04 -0700 | ||
4 | Subject: [PATCH 3/9] CVE-2019-13105: ext4: fix double-free in ext4_cache_read | ||
5 | |||
6 | ext_cache_read doesn't null cache->buf, after freeing, which results | ||
7 | in a later function double-freeing it. This patch fixes | ||
8 | ext_cache_read to call ext_cache_fini instead of free. | ||
9 | |||
10 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> | ||
11 | |||
12 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
13 | h=6e5a79de658cb1c8012c86e0837379aa6eabd024] | ||
14 | |||
15 | CVE: CVE-2019-13105 | ||
16 | |||
17 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
18 | --- | ||
19 | fs/ext4/ext4fs.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c | ||
23 | index c8c8655ed8..e2b740cac4 100644 | ||
24 | --- a/fs/ext4/ext4fs.c | ||
25 | +++ b/fs/ext4/ext4fs.c | ||
26 | @@ -288,7 +288,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size) | ||
27 | if (!cache->buf) | ||
28 | return 0; | ||
29 | if (!ext4fs_devread(block, 0, size, cache->buf)) { | ||
30 | - free(cache->buf); | ||
31 | + ext_cache_fini(cache); | ||
32 | return 0; | ||
33 | } | ||
34 | cache->block = block; | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch new file mode 100644 index 0000000000..8e1a1a9943 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Emge <paulemge@forallsecure.com> | ||
3 | Date: Mon, 8 Jul 2019 16:37:07 -0700 | ||
4 | Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset | ||
5 | |||
6 | In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of | ||
7 | the destination memory region. This patch adds a check to disallow | ||
8 | this. | ||
9 | |||
10 | Signed-off-by: Paul Emge <paulemge@forallsecure.com> | ||
11 | |||
12 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
13 | h=e205896c5383c938274262524adceb2775fb03ba] | ||
14 | |||
15 | CVE: CVE-2019-13106 | ||
16 | |||
17 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
18 | --- | ||
19 | fs/ext4/ext4fs.c | 7 +++++-- | ||
20 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c | ||
23 | index e2b740cac4..37b31d9f0f 100644 | ||
24 | --- a/fs/ext4/ext4fs.c | ||
25 | +++ b/fs/ext4/ext4fs.c | ||
26 | @@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
27 | lbaint_t delayed_skipfirst = 0; | ||
28 | lbaint_t delayed_next = 0; | ||
29 | char *delayed_buf = NULL; | ||
30 | + char *start_buf = buf; | ||
31 | short status; | ||
32 | struct ext_block_cache cache; | ||
33 | |||
34 | @@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
35 | } | ||
36 | } else { | ||
37 | int n; | ||
38 | + int n_left; | ||
39 | if (previous_block_number != -1) { | ||
40 | /* spill */ | ||
41 | status = ext4fs_devread(delayed_start, | ||
42 | @@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, | ||
43 | } | ||
44 | /* Zero no more than `len' bytes. */ | ||
45 | n = blocksize - skipfirst; | ||
46 | - if (n > len) | ||
47 | - n = len; | ||
48 | + n_left = len - ( buf - start_buf ); | ||
49 | + if (n > n_left) | ||
50 | + n = n_left; | ||
51 | memset(buf, 0, n); | ||
52 | } | ||
53 | buf += blocksize - skipfirst; | ||
54 | -- | ||
55 | 2.17.1 | ||
56 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch new file mode 100644 index 0000000000..a19545a2d3 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From e8e602f4a4b2aacfb3da32bb8a838be15ea70e7b Mon Sep 17 00:00:00 2001 | ||
2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
3 | Date: Thu, 29 Aug 2019 13:47:33 +0000 | ||
4 | Subject: [PATCH 5/9] CVE: net: fix unbounded memcpy of UDP packet | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This patch adds a check to udp_len to fix unbounded memcpy for | ||
10 | CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199. | ||
11 | |||
12 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
13 | Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> | ||
14 | Reported-by: Fermín Serna <fermin@semmle.com> | ||
15 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
16 | |||
17 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
18 | h=fe7288069d2e6659117049f7d27e261b550bb725] | ||
19 | |||
20 | CVE: CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199 | ||
21 | |||
22 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
23 | --- | ||
24 | net/net.c | 3 +++ | ||
25 | 1 file changed, 3 insertions(+) | ||
26 | |||
27 | diff --git a/net/net.c b/net/net.c | ||
28 | index 58b0417cbe..38105f1142 100644 | ||
29 | --- a/net/net.c | ||
30 | +++ b/net/net.c | ||
31 | @@ -1252,6 +1252,9 @@ void net_process_received_packet(uchar *in_packet, int len) | ||
32 | return; | ||
33 | } | ||
34 | |||
35 | + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len)) | ||
36 | + return; | ||
37 | + | ||
38 | debug_cond(DEBUG_DEV_PKT, | ||
39 | "received UDP (to=%pI4, from=%pI4, len=%d)\n", | ||
40 | &dst_ip, &src_ip, len); | ||
41 | -- | ||
42 | 2.17.1 | ||
43 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch new file mode 100644 index 0000000000..04a09e46df --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001 | ||
2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
3 | Date: Thu, 29 Aug 2019 13:47:40 +0000 | ||
4 | Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some | ||
5 | nfs_handler reply helper functions | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197, | ||
11 | CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204. | ||
12 | |||
13 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
14 | Reported-by: Fermín Serna <fermin@semmle.com> | ||
15 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
16 | |||
17 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
18 | h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21] | ||
19 | |||
20 | CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, | ||
21 | CVE-2019-14203 and CVE-2019-14204 | ||
22 | |||
23 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
24 | --- | ||
25 | net/nfs.c | 3 +++ | ||
26 | 1 file changed, 3 insertions(+) | ||
27 | |||
28 | diff --git a/net/nfs.c b/net/nfs.c | ||
29 | index d6a7f8e827..b7cf3b3a18 100644 | ||
30 | --- a/net/nfs.c | ||
31 | +++ b/net/nfs.c | ||
32 | @@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip, | ||
33 | |||
34 | debug("%s\n", __func__); | ||
35 | |||
36 | + if (len > sizeof(struct rpc_t)) | ||
37 | + return; | ||
38 | + | ||
39 | if (dest != nfs_our_port) | ||
40 | return; | ||
41 | |||
42 | -- | ||
43 | 2.17.1 | ||
44 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch new file mode 100644 index 0000000000..b3e3b72ebf --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From fb6dc193bf2685b7574b218f7ca558aa54659e11 Mon Sep 17 00:00:00 2001 | ||
2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
3 | Date: Thu, 29 Aug 2019 13:47:48 +0000 | ||
4 | Subject: [PATCH 7/9] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy | ||
5 | with a failed length check at nfs_read_reply | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply. | ||
11 | |||
12 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
13 | Reported-by: Fermín Serna <fermin@semmle.com> | ||
14 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
15 | |||
16 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
17 | h=aa207cf3a6d68f39d64cd29057a4fb63943e9078] | ||
18 | |||
19 | CVE: CVE-2019-14194 and CVE-2019-14198 | ||
20 | |||
21 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
22 | --- | ||
23 | net/nfs.c | 3 +++ | ||
24 | 1 file changed, 3 insertions(+) | ||
25 | |||
26 | diff --git a/net/nfs.c b/net/nfs.c | ||
27 | index b7cf3b3a18..11941fad1a 100644 | ||
28 | --- a/net/nfs.c | ||
29 | +++ b/net/nfs.c | ||
30 | @@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len) | ||
31 | &(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]); | ||
32 | } | ||
33 | |||
34 | + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) | ||
35 | + return -9999; | ||
36 | + | ||
37 | if (store_block(data_ptr, nfs_offset, rlen)) | ||
38 | return -9999; | ||
39 | |||
40 | -- | ||
41 | 2.17.1 | ||
42 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch new file mode 100644 index 0000000000..bf9fb0ef52 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001 | ||
2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
3 | Date: Thu, 29 Aug 2019 13:47:54 +0000 | ||
4 | Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with | ||
5 | unvalidated length at nfs_readlink_reply | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply. | ||
11 | |||
12 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
13 | Reported-by: Fermín Serna <fermin@semmle.com> | ||
14 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
15 | |||
16 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
17 | h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230] | ||
18 | |||
19 | CVE: CVE-2019-14195 | ||
20 | |||
21 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
22 | --- | ||
23 | net/nfs.c | 3 +++ | ||
24 | 1 file changed, 3 insertions(+) | ||
25 | |||
26 | diff --git a/net/nfs.c b/net/nfs.c | ||
27 | index 11941fad1a..915acd95cf 100644 | ||
28 | --- a/net/nfs.c | ||
29 | +++ b/net/nfs.c | ||
30 | @@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len) | ||
31 | /* new path length */ | ||
32 | rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]); | ||
33 | |||
34 | + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) | ||
35 | + return -NFS_RPC_DROP; | ||
36 | + | ||
37 | if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') { | ||
38 | int pathlen; | ||
39 | |||
40 | -- | ||
41 | 2.17.1 | ||
42 | |||
diff --git a/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch new file mode 100644 index 0000000000..f06e025297 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 74c468caa95c86cdb12c4b8073e154c435ac0bf7 Mon Sep 17 00:00:00 2001 | ||
2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
3 | Date: Thu, 29 Aug 2019 13:48:02 +0000 | ||
4 | Subject: [PATCH 9/9] CVE-2019-14196: nfs: fix unbounded memcpy with a failed | ||
5 | length check at nfs_lookup_reply | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply. | ||
11 | |||
12 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
13 | Reported-by: Fermín Serna <fermin@semmle.com> | ||
14 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
15 | |||
16 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
17 | h=5d14ee4e53a81055d34ba280cb8fd90330f22a96] | ||
18 | |||
19 | CVE: CVE-2019-14196 | ||
20 | |||
21 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
22 | --- | ||
23 | net/nfs.c | 4 ++++ | ||
24 | 1 file changed, 4 insertions(+) | ||
25 | |||
26 | diff --git a/net/nfs.c b/net/nfs.c | ||
27 | index 915acd95cf..89952aeb66 100644 | ||
28 | --- a/net/nfs.c | ||
29 | +++ b/net/nfs.c | ||
30 | @@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) | ||
31 | } | ||
32 | |||
33 | if (supported_nfs_versions & NFSV2_FLAG) { | ||
34 | + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len) | ||
35 | + return -NFS_RPC_DROP; | ||
36 | memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE); | ||
37 | } else { /* NFSV3_FLAG */ | ||
38 | filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); | ||
39 | if (filefh3_length > NFS3_FHSIZE) | ||
40 | filefh3_length = NFS3_FHSIZE; | ||
41 | + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) | ||
42 | + return -NFS_RPC_DROP; | ||
43 | memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); | ||
44 | } | ||
45 | |||
46 | -- | ||
47 | 2.17.1 | ||
48 | |||
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index a056eae8ce..f63dfa3b73 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc | |||
@@ -14,6 +14,16 @@ PE = "1" | |||
14 | # repo during parse | 14 | # repo during parse |
15 | SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004" | 15 | SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004" |
16 | 16 | ||
17 | SRC_URI = "git://git.denx.de/u-boot.git" | 17 | SRC_URI = "git://git.denx.de/u-boot.git \ |
18 | file://0001-CVE-2019-13103.patch \ | ||
19 | file://0002-CVE-2019-13104.patch \ | ||
20 | file://0003-CVE-2019-13105.patch \ | ||
21 | file://0004-CVE-2019-13106.patch \ | ||
22 | file://0005-CVE-2019-14192-14193-14199.patch \ | ||
23 | file://0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch \ | ||
24 | file://0007-CVE-2019-14194-14198.patch \ | ||
25 | file://0008-CVE-2019-14195.patch \ | ||
26 | file://0009-CVE-2019-14196.patch \ | ||
27 | " | ||
18 | 28 | ||
19 | S = "${WORKDIR}/git" | 29 | S = "${WORKDIR}/git" |