summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch44
-rw-r--r--meta/recipes-bsp/u-boot/u-boot_2022.01.bb1
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
new file mode 100644
index 0000000000..aee7f05ab4
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
@@ -0,0 +1,44 @@
1From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022
2From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
3Date: Tue, 14 Jun 2022 17:16:00 +0200
4Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
5
6This patch mitigates the vulnerability identified via CVE-2019-14196.
7The previous patch was bypassed/ineffective, and now the vulnerability
8is identified via CVE-2022-30767. The patch removes the sanity check
9introduced to mitigate CVE-2019-14196 since it's ineffective.
10filefh3_length is changed to unsigned type integer, preventing negative
11numbers from being used during comparison with positive values during
12size sanity checks.
13
14CVE: CVE-2019-14196
15
16Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80]
17Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
18Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>
19---
20 net/nfs.c | 4 +---
21 1 file changed, 1 insertions(+), 3 deletions(-)
22
23diff --git a/net/nfs.c b/net/nfs.c
24index 70d0e08bde..3003f54aac 100644
25--- a/net/nfs.c
26+++ b/net/nfs.c
27@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT;
28
29 static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
30 static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
31-static int filefh3_length; /* (variable) length of filefh when NFSv3 */
32+static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
33
34 static enum net_loop_state nfs_download_state;
35 static struct in_addr nfs_server_ip;
36@@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
37 filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
38 if (filefh3_length > NFS3_FHSIZE)
39 filefh3_length = NFS3_FHSIZE;
40- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
41- return -NFS_RPC_DROP;
42 memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
43 }
44
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c4cfcbca19..cd40ad1a7d 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -7,6 +7,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
7 file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ 7 file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
8 file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ 8 file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
9 file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ 9 file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
10 file://0001-CVE-2022-30767.patch \
10 " 11 "
11 12
12DEPENDS += "bc-native dtc-native python3-setuptools-native" 13DEPENDS += "bc-native dtc-native python3-setuptools-native"