From: Carlos Dominguez <carlos.doming...@windriver.com> This patch mitigates the vulnerability identified via CVE-2019-14196. The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks.
Signed-off-by: Carlos Dominguez <carlos.doming...@windriver.com> Signed-off-by: Kai Kang <kai.k...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../u-boot/files/0001-CVE-2022-30767.patch | 44 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch new file mode 100644 index 0000000000..aee7f05ab4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch @@ -0,0 +1,44 @@ +From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022 +From: Andrea zi0Black Cappa <zi0bl...@protonmail.com> +Date: Tue, 14 Jun 2022 17:16:00 +0200 +Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196) + +This patch mitigates the vulnerability identified via CVE-2019-14196. +The previous patch was bypassed/ineffective, and now the vulnerability +is identified via CVE-2022-30767. The patch removes the sanity check +introduced to mitigate CVE-2019-14196 since it's ineffective. +filefh3_length is changed to unsigned type integer, preventing negative +numbers from being used during comparison with positive values during +size sanity checks. + +CVE: CVE-2019-14196 + +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80] +Signed-off-by: Andrea zi0Black Cappa <zi0bl...@protonmail.com> +Signed-off-by: Carlos Dominguez <carlos.doming...@windriver.com> +--- + net/nfs.c | 4 +--- + 1 file changed, 1 insertions(+), 3 deletions(-) + +diff --git a/net/nfs.c b/net/nfs.c +index 70d0e08bde..3003f54aac 100644 +--- a/net/nfs.c ++++ b/net/nfs.c +@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT; + + static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ + static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ +-static int filefh3_length; /* (variable) length of filefh when NFSv3 */ ++static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ + + static enum net_loop_state nfs_download_state; + static struct in_addr nfs_server_ip; +@@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) + filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); + if (filefh3_length > NFS3_FHSIZE) + filefh3_length = NFS3_FHSIZE; +- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) +- return -NFS_RPC_DROP; + memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); + } + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c4cfcbca19..cd40ad1a7d 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -7,6 +7,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ + file://0001-CVE-2022-30767.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211886): https://lists.openembedded.org/g/openembedded-core/message/211886 Mute This Topic: https://lists.openembedded.org/mt/111377441/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
