diff options
Diffstat (limited to 'meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch')
-rw-r--r-- | meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch | 133 |
1 files changed, 0 insertions, 133 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch deleted file mode 100644 index b65e3ef1a6..0000000000 --- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch +++ /dev/null @@ -1,133 +0,0 @@ -From e824c23316ae50beb7f7488f2055ac65e8b341f2 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl <chertl@microsoft.com> -Date: Thu, 28 Nov 2019 16:33:59 +0000 -Subject: [PATCH] fru: Fix buffer overflow vulnerabilities - -Partial fix for CVE-2020-5208, see -https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -The `read_fru_area_section` function only performs size validation of -requested read size, and falsely assumes that the IPMI message will not -respond with more than the requested amount of data; it uses the -unvalidated response size to copy into `frubuf`. If the response is -larger than the request, this can result in overflowing the buffer. - -The same issue affects the `read_fru_area` function. - -Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2] -CVE: CVE-2020-5208 - -Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> ---- - lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++-- - 1 file changed, 31 insertions(+), 2 deletions(-) - -diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c -index c2a139d..2e323ff 100644 ---- a/lib/ipmi_fru.c -+++ b/lib/ipmi_fru.c -@@ -663,7 +663,10 @@ int - read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp; -+ uint32_t finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -676,10 +679,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -715,6 +720,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - } - } - -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -756,9 +762,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } -+ - memcpy(frubuf, rsp->data + 1, tmp); - off += tmp; - frubuf += tmp; -+ size_left_in_buffer -= tmp; - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function - * still attempts to parse what was returned */ -@@ -791,7 +806,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { - static uint32_t fru_data_rqst_size = 20; -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp, finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -804,10 +821,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -822,6 +841,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - if (fru->access && fru_data_rqst_size > 16) - #endif - fru_data_rqst_size = 16; -+ -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -853,8 +874,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy((frubuf + off)-offset, rsp->data + 1, tmp); - off += tmp; -+ size_left_in_buffer -= tmp; - - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function --- -2.17.1 - |