2 files changed, 134 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
new file mode 100644
index 0000000000..b65e3ef1a6
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
@@ -0,0 +1,133 @@
+From e824c23316ae50beb7f7488f2055ac65e8b341f2 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:33:59 +0000
+Subject: [PATCH] fru: Fix buffer overflow vulnerabilities
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+The `read_fru_area_section` function only performs size validation of
+requested read size, and falsely assumes that the IPMI message will not
+respond with more than the requested amount of data; it uses the
+unvalidated response size to copy into `frubuf`. If the response is
+larger than the request, this can result in overflowing the buffer.
+The same issue affects the `read_fru_area` function.
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
+CVE: CVE-2020-5208
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index c2a139d..2e323ff 100644
+--- a/lib/ipmi_fru.c
+++ b/lib/ipmi_fru.c
+@@ -663,7 +663,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+                        uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+-       uint32_t off = offset, tmp, finish;
+       uint32_t off = offset;
+       uint32_t tmp;
+       uint32_t finish;
+       uint32_t size_left_in_buffer;
+        struct ipmi_rs * rsp;
+        struct ipmi_rq req;
+        uint8_t msg_data[4];
+@@ -676,10 +679,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 
+        finish = offset + length;
+        if (finish > fru->size) {
+               memset(frubuf + fru->size, 0, length - fru->size);
+                finish = fru->size;
+                lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+                        "Adjusting to %d",
+                        offset + length, finish - offset);
+               length = finish - offset;
+        }
+ 
+        memset(&req, 0, sizeof(req));
+@@ -715,6 +720,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+                }
+        }
+ 
+       size_left_in_buffer = length;
+        do {
+                tmp = fru->access ? off >> 1 : off;
+                msg_data[0] = id;
+@@ -756,9 +762,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+                }
+ 
+                tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
+               if(rsp->data_len < 1
+                  || tmp > rsp->data_len - 1
+                  || tmp > size_left_in_buffer)
+               {
+                       printf(" Not enough buffer size");
+                       return -1;
+               }
+
+                memcpy(frubuf, rsp->data + 1, tmp);
+                off += tmp;
+                frubuf += tmp;
+               size_left_in_buffer -= tmp;
+                /* sometimes the size returned in the Info command
+                * is too large.  return 0 so higher level function
+                * still attempts to parse what was returned */
+@@ -791,7 +806,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+                        uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+        static uint32_t fru_data_rqst_size = 20;
+-       uint32_t off = offset, tmp, finish;
+       uint32_t off = offset;
+       uint32_t tmp, finish;
+       uint32_t size_left_in_buffer;
+        struct ipmi_rs * rsp;
+        struct ipmi_rq req;
+        uint8_t msg_data[4];
+@@ -804,10 +821,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 
+        finish = offset + length;
+        if (finish > fru->size) {
+               memset(frubuf + fru->size, 0, length - fru->size);
+                finish = fru->size;
+                lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+                        "Adjusting to %d",
+                        offset + length, finish - offset);
+               length = finish - offset;
+        }
+ 
+        memset(&req, 0, sizeof(req));
+@@ -822,6 +841,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+        if (fru->access && fru_data_rqst_size > 16)
+ #endif
+                fru_data_rqst_size = 16;
+
+       size_left_in_buffer = length;
+        do {
+                tmp = fru->access ? off >> 1 : off;
+                msg_data[0] = id;
+@@ -853,8 +874,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+                }
+ 
+                tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
+               if(rsp->data_len < 1
+                  || tmp > rsp->data_len - 1
+                  || tmp > size_left_in_buffer)
+               {
+                       printf(" Not enough buffer size");
+                       return -1;
+               }
+                memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+                off += tmp;
+               size_left_in_buffer -= tmp;
+ 
+                /* sometimes the size returned in the Info command
+                * is too large.  return 0 so higher level function
+-- 
+2.17.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
index b7f1aa9145..500d5bd0b2 100644
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
@@ -24,6 +24,7 @@ DEPENDS = "openssl readline ncurses"
 SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \
           file://0001-Migrate-to-openssl-1.1.patch \
+           file://0001-fru-Fix-buffer-overflow-vulnerabilities.patch \
           "
 SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3"
 SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01"

diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch new file mode 100644 index 0000000000..b65e3ef1a6 --- /dev/null +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
@@ -0,0 +1,133 @@
		1	From e824c23316ae50beb7f7488f2055ac65e8b341f2 Mon Sep 17 00:00:00 2001
		2	From: Chrostoper Ertl <chertl@microsoft.com>
		3	Date: Thu, 28 Nov 2019 16:33:59 +0000
		4	Subject: [PATCH] fru: Fix buffer overflow vulnerabilities
		5
		6	Partial fix for CVE-2020-5208, see
		7	https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
		8
		9	The `read_fru_area_section` function only performs size validation of
		10	requested read size, and falsely assumes that the IPMI message will not
		11	respond with more than the requested amount of data; it uses the
		12	unvalidated response size to copy into `frubuf`. If the response is
		13	larger than the request, this can result in overflowing the buffer.
		14
		15	The same issue affects the `read_fru_area` function.
		16
		17	Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
		18	CVE: CVE-2020-5208
		19
		20	Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
		21	---
		22	lib/ipmi_fru.c \| 33 +++++++++++++++++++++++++++++++--
		23	1 file changed, 31 insertions(+), 2 deletions(-)
		24
		25	diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
		26	index c2a139d..2e323ff 100644
		27	--- a/lib/ipmi_fru.c
		28	+++ b/lib/ipmi_fru.c
		29	@@ -663,7 +663,10 @@ int
		30	read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		31	uint32_t offset, uint32_t length, uint8_t *frubuf)
		32	{
		33	- uint32_t off = offset, tmp, finish;
		34	+ uint32_t off = offset;
		35	+ uint32_t tmp;
		36	+ uint32_t finish;
		37	+ uint32_t size_left_in_buffer;
		38	struct ipmi_rs * rsp;
		39	struct ipmi_rq req;
		40	uint8_t msg_data[4];
		41	@@ -676,10 +679,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		42
		43	finish = offset + length;
		44	if (finish > fru->size) {
		45	+ memset(frubuf + fru->size, 0, length - fru->size);
		46	finish = fru->size;
		47	lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
		48	"Adjusting to %d",
		49	offset + length, finish - offset);
		50	+ length = finish - offset;
		51	}
		52
		53	memset(&req, 0, sizeof(req));
		54	@@ -715,6 +720,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		55	}
		56	}
		57
		58	+ size_left_in_buffer = length;
		59	do {
		60	tmp = fru->access ? off >> 1 : off;
		61	msg_data[0] = id;
		62	@@ -756,9 +762,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		63	}
		64
		65	tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
		66	+ if(rsp->data_len < 1
		67	+ \|\| tmp > rsp->data_len - 1
		68	+ \|\| tmp > size_left_in_buffer)
		69	+ {
		70	+ printf(" Not enough buffer size");
		71	+ return -1;
		72	+ }
		73	+
		74	memcpy(frubuf, rsp->data + 1, tmp);
		75	off += tmp;
		76	frubuf += tmp;
		77	+ size_left_in_buffer -= tmp;
		78	/* sometimes the size returned in the Info command
		79	* is too large. return 0 so higher level function
		80	* still attempts to parse what was returned */
		81	@@ -791,7 +806,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		82	uint32_t offset, uint32_t length, uint8_t *frubuf)
		83	{
		84	static uint32_t fru_data_rqst_size = 20;
		85	- uint32_t off = offset, tmp, finish;
		86	+ uint32_t off = offset;
		87	+ uint32_t tmp, finish;
		88	+ uint32_t size_left_in_buffer;
		89	struct ipmi_rs * rsp;
		90	struct ipmi_rq req;
		91	uint8_t msg_data[4];
		92	@@ -804,10 +821,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		93
		94	finish = offset + length;
		95	if (finish > fru->size) {
		96	+ memset(frubuf + fru->size, 0, length - fru->size);
		97	finish = fru->size;
		98	lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
		99	"Adjusting to %d",
		100	offset + length, finish - offset);
		101	+ length = finish - offset;
		102	}
		103
		104	memset(&req, 0, sizeof(req));
		105	@@ -822,6 +841,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		106	if (fru->access && fru_data_rqst_size > 16)
		107	#endif
		108	fru_data_rqst_size = 16;
		109	+
		110	+ size_left_in_buffer = length;
		111	do {
		112	tmp = fru->access ? off >> 1 : off;
		113	msg_data[0] = id;
		114	@@ -853,8 +874,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
		115	}
		116
		117	tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
		118	+ if(rsp->data_len < 1
		119	+ \|\| tmp > rsp->data_len - 1
		120	+ \|\| tmp > size_left_in_buffer)
		121	+ {
		122	+ printf(" Not enough buffer size");
		123	+ return -1;
		124	+ }
		125	memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
		126	off += tmp;
		127	+ size_left_in_buffer -= tmp;
		128
		129	/* sometimes the size returned in the Info command
		130	* is too large. return 0 so higher level function
		131	--
		132	2.17.1
		133


diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb index b7f1aa9145..500d5bd0b2 100644 --- a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb +++ b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
@@ -24,6 +24,7 @@ DEPENDS = "openssl readline ncurses"
24		24
25	SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \	25	SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \
26	file://0001-Migrate-to-openssl-1.1.patch \	26	file://0001-Migrate-to-openssl-1.1.patch \
		27	file://0001-fru-Fix-buffer-overflow-vulnerabilities.patch \
27	"	28	"
28	SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3"	29	SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3"
29	SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01"	30	SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01"