From patchwork Wed May 18 16:30:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea zi0Black Cappa X-Patchwork-Id: 1632868 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=MybJ6i8J; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L3JPX6cq4z9tkW for ; Thu, 19 May 2022 02:30:24 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4F26384293; Wed, 18 May 2022 18:30:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.b="MybJ6i8J"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EB04E84293; Wed, 18 May 2022 18:30:15 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4CFD083DEB for ; Wed, 18 May 2022 18:30:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=zi0Black@protonmail.com Date: Wed, 18 May 2022 16:30:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1652891412; x=1653150612; bh=M5Y7xEKFd1uz4e12X+31CP9q/8Tlpu5PXcB3RBEhgEY=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:Feedback-ID:From:To: Cc:Date:Subject:Reply-To:Feedback-ID:Message-ID; b=MybJ6i8JzuBtsgUt4WIP6EPs4/LzOs/zjv+7bOWsPfEIUqKNwG4LQjkRFzQcOq419 MAzWCgfFRVcHwllPOCm4OW6iaIgwtJh4bb5XBTHIYoN3hX3paAqt38awuauyVZAE0Y 7Ll87EtFeXmqodkeZ+DtF1UFzAu9rYQjUj5qPTVRKSYgTxUZQk0lnFzdh43DupnKSH 06kic9kufCx/sj7wPU7EM41Zxf8J0vUWgKitCFPyd03/+nchcpVa1H7jP6FiCVe9gJ Wn9gUwFWtx1YbOcIWVNwLyffD34uozGvaRCrzfMPUTDWX+ppuGhGMzgDsR0FIRB3j9 pOc0DyE05eLVw== To: u-boot@lists.denx.de From: Andrea zi0Black Cappa Cc: trini@konsulko.com, Andrea zi0Black Cappa Subject: [PATCH v2] Fix CVE-2022-30767 (old CVE-2019-14196) Message-ID: <20220518163103.372-1-zi0Black@protonmail.com> Feedback-ID: 9529232:user:proton MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Andrea zi0Black Cappa Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This patch mitigates the vulnerability identified via CVE-2019-14196. The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks. Signed-off-by: Andrea zi0Black Cappa --- Changes for v2: - added commit comment - fixed a typo net/nfs.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) static struct in_addr nfs_server_ip; @@ -570,11 +570,9 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE); } else { /* NFSV3_FLAG */ filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); if (filefh3_length > NFS3_FHSIZE) filefh3_length = NFS3_FHSIZE; - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) - return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); } -- 2.36.0.windows.1 diff --git a/net/nfs.c b/net/nfs.c index 3c01cebd96..65fb066033 100644 --- a/net/nfs.c +++ b/net/nfs.c @@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT; static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ -static int filefh3_length; /* (variable) length of filefh when NFSv3 */ +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ static enum net_loop_state nfs_download_state;