This repository has been archived by the owner on Aug 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: P Dheeraj Srujan Kumar <[email protected]>
- Loading branch information
1 parent
e0c224c
commit 7dd3ed2
Showing
62 changed files
with
4,559 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
118 changes: 118 additions & 0 deletions
118
meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
From 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 Mon Sep 17 00:00:00 2001 | ||
From: Nicolas Iooss <[email protected]> | ||
Date: Fri, 10 Jun 2022 14:50:25 +0000 | ||
Subject: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md | ||
command | ||
|
||
When running "i2c md 0 0 80000100", the function do_i2c_md parses the | ||
length into an unsigned int variable named length. The value is then | ||
moved to a signed variable: | ||
|
||
int nbytes = length; | ||
#define DISP_LINE_LEN 16 | ||
int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes; | ||
ret = dm_i2c_read(dev, addr, linebuf, linebytes); | ||
|
||
On systems where integers are 32 bits wide, 0x80000100 is a negative | ||
value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned | ||
0x80000100 instead of 16. | ||
|
||
The consequence is that the function which reads from the i2c device | ||
(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill | ||
but with a size parameter which is too large. In some cases, this could | ||
trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c | ||
(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to | ||
a 16-bit integer. This is because function i2c_transfer expects an | ||
unsigned short length. In such a case, an attacker who can control the | ||
response of an i2c device can overwrite the return address of a function | ||
and execute arbitrary code through Return-Oriented Programming. | ||
|
||
Fix this issue by using unsigned integers types in do_i2c_md. While at | ||
it, make also alen unsigned, as signed sizes can cause vulnerabilities | ||
when people forgot to check that they can be negative. | ||
|
||
Signed-off-by: Nicolas Iooss <[email protected]> | ||
Reviewed-by: Heiko Schocher <[email protected]> | ||
--- | ||
cmd/i2c.c | 24 ++++++++++++------------ | ||
1 file changed, 12 insertions(+), 12 deletions(-) | ||
|
||
diff --git a/cmd/i2c.c b/cmd/i2c.c | ||
index 9050b2b8d27a..bd04b14024be 100644 | ||
--- a/cmd/i2c.c | ||
+++ b/cmd/i2c.c | ||
@@ -200,10 +200,10 @@ void i2c_init_board(void) | ||
* | ||
* Returns the address length. | ||
*/ | ||
-static uint get_alen(char *arg, int default_len) | ||
+static uint get_alen(char *arg, uint default_len) | ||
{ | ||
- int j; | ||
- int alen; | ||
+ uint j; | ||
+ uint alen; | ||
|
||
alen = default_len; | ||
for (j = 0; j < 8; j++) { | ||
@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc, | ||
{ | ||
uint chip; | ||
uint devaddr, length; | ||
- int alen; | ||
+ uint alen; | ||
u_char *memaddr; | ||
int ret; | ||
#if CONFIG_IS_ENABLED(DM_I2C) | ||
@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc, | ||
{ | ||
uint chip; | ||
uint devaddr, length; | ||
- int alen; | ||
+ uint alen; | ||
u_char *memaddr; | ||
int ret; | ||
#if CONFIG_IS_ENABLED(DM_I2C) | ||
@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc, | ||
{ | ||
uint chip; | ||
uint addr, length; | ||
- int alen; | ||
- int j, nbytes, linebytes; | ||
+ uint alen; | ||
+ uint j, nbytes, linebytes; | ||
int ret; | ||
#if CONFIG_IS_ENABLED(DM_I2C) | ||
struct udevice *dev; | ||
@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc, | ||
{ | ||
uint chip; | ||
ulong addr; | ||
- int alen; | ||
+ uint alen; | ||
uchar byte; | ||
- int count; | ||
+ uint count; | ||
int ret; | ||
#if CONFIG_IS_ENABLED(DM_I2C) | ||
struct udevice *dev; | ||
@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc, | ||
{ | ||
uint chip; | ||
ulong addr; | ||
- int alen; | ||
- int count; | ||
+ uint alen; | ||
+ uint count; | ||
uchar byte; | ||
ulong crc; | ||
ulong err; | ||
@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc, | ||
char *const argv[]) | ||
{ | ||
uint chip; | ||
- int alen; | ||
+ uint alen; | ||
uint addr; | ||
uint length; | ||
u_char bytes[16]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
76 changes: 76 additions & 0 deletions
76
...meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001 | ||
From: Tomas Mraz <[email protected]> | ||
Date: Tue, 26 Apr 2022 12:40:24 +0200 | ||
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl | ||
|
||
Except on VMS where it is safe. | ||
|
||
This fixes CVE-2022-1292. | ||
|
||
Reviewed-by: Matthias St. Pierre <[email protected]> | ||
Reviewed-by: Matt Caswell <[email protected]> | ||
--- | ||
tools/c_rehash.in | 29 +++++++++++++++++++++++++---- | ||
1 file changed, 25 insertions(+), 4 deletions(-) | ||
|
||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in | ||
index fa7c6c9fef..83c1cc80e0 100644 | ||
--- a/tools/c_rehash.in | ||
+++ b/tools/c_rehash.in | ||
@@ -152,6 +152,23 @@ sub check_file { | ||
return ($is_cert, $is_crl); | ||
} | ||
|
||
+sub compute_hash { | ||
+ my $fh; | ||
+ if ( $^O eq "VMS" ) { | ||
+ # VMS uses the open through shell | ||
+ # The file names are safe there and list form is unsupported | ||
+ if (!open($fh, "-|", join(' ', @_))) { | ||
+ print STDERR "Cannot compute hash on '$fname'\n"; | ||
+ return; | ||
+ } | ||
+ } else { | ||
+ if (!open($fh, "-|", @_)) { | ||
+ print STDERR "Cannot compute hash on '$fname'\n"; | ||
+ return; | ||
+ } | ||
+ } | ||
+ return (<$fh>, <$fh>); | ||
+} | ||
|
||
# Link a certificate to its subject name hash value, each hash is of | ||
# the form <hash>.<n> where n is an integer. If the hash value already exists | ||
@@ -161,10 +178,12 @@ sub check_file { | ||
|
||
sub link_hash_cert { | ||
my $fname = $_[0]; | ||
- $fname =~ s/\"/\\\"/g; | ||
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; | ||
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, | ||
+ "-fingerprint", "-noout", | ||
+ "-in", $fname); | ||
chomp $hash; | ||
chomp $fprint; | ||
+ return if !$hash; | ||
$fprint =~ s/^.*=//; | ||
$fprint =~ tr/://d; | ||
my $suffix = 0; | ||
@@ -202,10 +221,12 @@ sub link_hash_cert { | ||
|
||
sub link_hash_crl { | ||
my $fname = $_[0]; | ||
- $fname =~ s/'/'\\''/g; | ||
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; | ||
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, | ||
+ "-fingerprint", "-noout", | ||
+ "-in", $fname); | ||
chomp $hash; | ||
chomp $fprint; | ||
+ return if !$hash; | ||
$fprint =~ s/^.*=//; | ||
$fprint =~ tr/://d; | ||
my $suffix = 0; | ||
-- | ||
2.25.1 | ||
|
Oops, something went wrong.