| Message ID | 20220518163103.372-1-zi0Black@protonmail.com |
|---|---|
| State | Accepted |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | [v2] Fix CVE-2022-30767 (old CVE-2019-14196) | expand |
On Wed, May 18, 2022 at 04:30:08PM +0000, Andrea zi0Black Cappa wrote: > This patch mitigates the vulnerability identified via CVE-2019-14196. > The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. > filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks. > > Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com> Applied to u-boot/master, thanks!
diff --git a/net/nfs.c b/net/nfs.c index 3c01cebd96..65fb066033 100644 --- a/net/nfs.c +++ b/net/nfs.c @@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT; static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ -static int filefh3_length; /* (variable) length of filefh when NFSv3 */ +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ static enum net_loop_state nfs_download_state;
This patch mitigates the vulnerability identified via CVE-2019-14196. The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks. Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com> --- Changes for v2: - added commit comment - fixed a typo net/nfs.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) static struct in_addr nfs_server_ip; @@ -570,11 +570,9 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE); } else { /* NFSV3_FLAG */ filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); if (filefh3_length > NFS3_FHSIZE) filefh3_length = NFS3_FHSIZE; - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) - return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); } -- 2.36.0.windows.1