diff options
| author | Carlos Dominguez <carlos.dominguez@windriver.com> | 2025-02-19 16:18:12 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-02-28 06:51:35 -0800 |
| commit | d552f8503771cea2aabbaf220e20678203d2bd75 (patch) | |
| tree | ebbdf2e8c0250f278171dafaa4777d64c44574cf /meta | |
| parent | 975fa4831521d56a7e782b6cd0140d14a0f41b99 (diff) | |
| download | poky-d552f8503771cea2aabbaf220e20678203d2bd75.tar.gz | |
u-boot: Fix CVE-2022-30767
This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.
(From OE-Core rev: b7072637ba110718714745a01d67e1b6b0096165)
Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch | 44 | ||||
| -rw-r--r-- | meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch new file mode 100644 index 0000000000..aee7f05ab4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022 | ||
| 2 | From: Andrea zi0Black Cappa <zi0Black@protonmail.com> | ||
| 3 | Date: Tue, 14 Jun 2022 17:16:00 +0200 | ||
| 4 | Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196) | ||
| 5 | |||
| 6 | This patch mitigates the vulnerability identified via CVE-2019-14196. | ||
| 7 | The previous patch was bypassed/ineffective, and now the vulnerability | ||
| 8 | is identified via CVE-2022-30767. The patch removes the sanity check | ||
| 9 | introduced to mitigate CVE-2019-14196 since it's ineffective. | ||
| 10 | filefh3_length is changed to unsigned type integer, preventing negative | ||
| 11 | numbers from being used during comparison with positive values during | ||
| 12 | size sanity checks. | ||
| 13 | |||
| 14 | CVE: CVE-2019-14196 | ||
| 15 | |||
| 16 | Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80] | ||
| 17 | Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com> | ||
| 18 | Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com> | ||
| 19 | --- | ||
| 20 | net/nfs.c | 4 +--- | ||
| 21 | 1 file changed, 1 insertions(+), 3 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/net/nfs.c b/net/nfs.c | ||
| 24 | index 70d0e08bde..3003f54aac 100644 | ||
| 25 | --- a/net/nfs.c | ||
| 26 | +++ b/net/nfs.c | ||
| 27 | @@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT; | ||
| 28 | |||
| 29 | static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ | ||
| 30 | static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ | ||
| 31 | -static int filefh3_length; /* (variable) length of filefh when NFSv3 */ | ||
| 32 | +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ | ||
| 33 | |||
| 34 | static enum net_loop_state nfs_download_state; | ||
| 35 | static struct in_addr nfs_server_ip; | ||
| 36 | @@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) | ||
| 37 | filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); | ||
| 38 | if (filefh3_length > NFS3_FHSIZE) | ||
| 39 | filefh3_length = NFS3_FHSIZE; | ||
| 40 | - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) | ||
| 41 | - return -NFS_RPC_DROP; | ||
| 42 | memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); | ||
| 43 | } | ||
| 44 | |||
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c4cfcbca19..cd40ad1a7d 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb | |||
| @@ -7,6 +7,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ | |||
| 7 | file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ | 7 | file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ |
| 8 | file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ | 8 | file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ |
| 9 | file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ | 9 | file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ |
| 10 | file://0001-CVE-2022-30767.patch \ | ||
| 10 | " | 11 | " |
| 11 | 12 | ||
| 12 | DEPENDS += "bc-native dtc-native python3-setuptools-native" | 13 | DEPENDS += "bc-native dtc-native python3-setuptools-native" |
