Skip to content
This repository has been archived by the owner on Aug 15, 2024. It is now read-only.

Commit

Permalink
Merge pull request #124 from Intel-BMC/update
Browse files Browse the repository at this point in the history
Update to internal 1-0.92
  • Loading branch information
dheerajpdsk authored Dec 3, 2022
2 parents e0c224c + 7dd3ed2 commit e9e8ce6
Show file tree
Hide file tree
Showing 62 changed files with 4,559 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -340,8 +340,11 @@ fitimage_assemble() {
DTBS=""
ramdiskcount=${3}
setupcount=""
#hash_type="sha256"
hash_type=""
if [ ! -z ${SPL_BINARY} ]; then
hash_type="sha256"
else
hash_type=""
fi
rm -f ${1} ${2}

#
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
From 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <[email protected]>
Date: Fri, 10 Jun 2022 14:50:25 +0000
Subject: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md
command

When running "i2c md 0 0 80000100", the function do_i2c_md parses the
length into an unsigned int variable named length. The value is then
moved to a signed variable:

int nbytes = length;
#define DISP_LINE_LEN 16
int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
ret = dm_i2c_read(dev, addr, linebuf, linebytes);

On systems where integers are 32 bits wide, 0x80000100 is a negative
value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
0x80000100 instead of 16.

The consequence is that the function which reads from the i2c device
(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
but with a size parameter which is too large. In some cases, this could
trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
a 16-bit integer. This is because function i2c_transfer expects an
unsigned short length. In such a case, an attacker who can control the
response of an i2c device can overwrite the return address of a function
and execute arbitrary code through Return-Oriented Programming.

Fix this issue by using unsigned integers types in do_i2c_md. While at
it, make also alen unsigned, as signed sizes can cause vulnerabilities
when people forgot to check that they can be negative.

Signed-off-by: Nicolas Iooss <[email protected]>
Reviewed-by: Heiko Schocher <[email protected]>
---
cmd/i2c.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/cmd/i2c.c b/cmd/i2c.c
index 9050b2b8d27a..bd04b14024be 100644
--- a/cmd/i2c.c
+++ b/cmd/i2c.c
@@ -200,10 +200,10 @@ void i2c_init_board(void)
*
* Returns the address length.
*/
-static uint get_alen(char *arg, int default_len)
+static uint get_alen(char *arg, uint default_len)
{
- int j;
- int alen;
+ uint j;
+ uint alen;

alen = default_len;
for (j = 0; j < 8; j++) {
@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc,
{
uint chip;
uint devaddr, length;
- int alen;
+ uint alen;
u_char *memaddr;
int ret;
#if CONFIG_IS_ENABLED(DM_I2C)
@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc,
{
uint chip;
uint devaddr, length;
- int alen;
+ uint alen;
u_char *memaddr;
int ret;
#if CONFIG_IS_ENABLED(DM_I2C)
@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc,
{
uint chip;
uint addr, length;
- int alen;
- int j, nbytes, linebytes;
+ uint alen;
+ uint j, nbytes, linebytes;
int ret;
#if CONFIG_IS_ENABLED(DM_I2C)
struct udevice *dev;
@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc,
{
uint chip;
ulong addr;
- int alen;
+ uint alen;
uchar byte;
- int count;
+ uint count;
int ret;
#if CONFIG_IS_ENABLED(DM_I2C)
struct udevice *dev;
@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc,
{
uint chip;
ulong addr;
- int alen;
- int count;
+ uint alen;
+ uint count;
uchar byte;
ulong crc;
ulong err;
@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc,
char *const argv[])
{
uint chip;
- int alen;
+ uint alen;
uint addr;
uint length;
u_char bytes[16];
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"

SRC_URI += " \
file://fw_env.config \
file://CVE-2022-34835.patch \
"
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <[email protected]>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl

Except on VMS where it is safe.

This fixes CVE-2022-1292.

Reviewed-by: Matthias St. Pierre <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
---
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index fa7c6c9fef..83c1cc80e0 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}

+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}

# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {

sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {

sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
--
2.25.1

Loading

0 comments on commit e9e8ce6

Please sign in to comment.