Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
PUBLIC_REPOS
/
buildroot
-ын хуулбар git://git.buildroot.net/buildroot
2
1
Салаа 0
Файлууд
Мод: c0a1c0c375
Салаанууд Тагууд
buildroot
/
package
/
ipmitool
/
0008-fru-Fix-buffer-overflow-vulnerabilities.patch

0008-fru-Fix-buffer-overflow-vulnerabilities.patch 4.2 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 
  1. From d615cb6c39d401a569941be2a615176191afa7ac Mon Sep 17 00:00:00 2001
    2. 

  2. From: Chrostoper Ertl <chertl@microsoft.com>
    3. 

  3. Date: Thu, 28 Nov 2019 16:33:59 +0000
    4. 

  4. Subject: [PATCH] fru: Fix buffer overflow vulnerabilities
    5. 

  5. 

  6. Partial fix for CVE-2020-5208, see
    7. 

  7. https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
    8. 

  8. 

  9. The `read_fru_area_section` function only performs size validation of
    10. 

  10. requested read size, and falsely assumes that the IPMI message will not
    11. 

  11. respond with more than the requested amount of data; it uses the
    12. 

  12. unvalidated response size to copy into `frubuf`. If the response is
    13. 

  13. larger than the request, this can result in overflowing the buffer.
    14. 

  14. 

  15. The same issue affects the `read_fru_area` function.
    16. 

  16. 

  17. [Retrieve from
    18. 

  18. https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
    19. 

  19. Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
    20. 

  20. ---
    21. 

  21.  lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++--
    22. 

  22.  1 file changed, 31 insertions(+), 2 deletions(-)
    23. 

  23. 

  24. diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
    25. 

  25. index cf00eff..af99aa9 100644
    26. 

  26. --- a/lib/ipmi_fru.c
    27. 

  27. +++ b/lib/ipmi_fru.c
    28. 

  28. @@ -615,7 +615,10 @@ int
    29. 

  29.  read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    30. 

  30.  			uint32_t offset, uint32_t length, uint8_t *frubuf)
    31. 

  31.  {
    32. 

  32. -	uint32_t off = offset, tmp, finish;
    33. 

  33. +	uint32_t off = offset;
    34. 

  34. +	uint32_t tmp;
    35. 

  35. +	uint32_t finish;
    36. 

  36. +	uint32_t size_left_in_buffer;
    37. 

  37.  	struct ipmi_rs * rsp;
    38. 

  38.  	struct ipmi_rq req;
    39. 

  39.  	uint8_t msg_data[4];
    40. 

  40. @@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    41. 

  41.  
    42. 

  42.  	finish = offset + length;
    43. 

  43.  	if (finish > fru->size) {
    44. 

  44. +		memset(frubuf + fru->size, 0, length - fru->size);
    45. 

  45.  		finish = fru->size;
    46. 

  46.  		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
    47. 

  47.  			"Adjusting to %d",
    48. 

  48.  			offset + length, finish - offset);
    49. 

  49. +		length = finish - offset;
    50. 

  50.  	}
    51. 

  51.  
    52. 

  52.  	memset(&req, 0, sizeof(req));
    53. 

  53. @@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    54. 

  54.  		}
    55. 

  55.  	}
    56. 

  56.  
    57. 

  57. +	size_left_in_buffer = length;
    58. 

  58.  	do {
    59. 

  59.  		tmp = fru->access ? off >> 1 : off;
    60. 

  60.  		msg_data[0] = id;
    61. 

  61. @@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    62. 

  62.  		}
    63. 

  63.  
    64. 

  64.  		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
    65. 

  65. +		if(rsp->data_len < 1
    66. 

  66. +		   || tmp > rsp->data_len - 1
    67. 

  67. +		   || tmp > size_left_in_buffer)
    68. 

  68. +		{
    69. 

  69. +			printf(" Not enough buffer size");
    70. 

  70. +			return -1;
    71. 

  71. +		}
    72. 

  72. +
    73. 

  73.  		memcpy(frubuf, rsp->data + 1, tmp);
    74. 

  74.  		off += tmp;
    75. 

  75.  		frubuf += tmp;
    76. 

  76. +		size_left_in_buffer -= tmp;
    77. 

  77.  		/* sometimes the size returned in the Info command
    78. 

  78.  		* is too large.  return 0 so higher level function
    79. 

  79.  		* still attempts to parse what was returned */
    80. 

  80. @@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    81. 

  81.  			uint32_t offset, uint32_t length, uint8_t *frubuf)
    82. 

  82.  {
    83. 

  83.  	static uint32_t fru_data_rqst_size = 20;
    84. 

  84. -	uint32_t off = offset, tmp, finish;
    85. 

  85. +	uint32_t off = offset;
    86. 

  86. +	uint32_t tmp, finish;
    87. 

  87. +	uint32_t size_left_in_buffer;
    88. 

  88.  	struct ipmi_rs * rsp;
    89. 

  89.  	struct ipmi_rq req;
    90. 

  90.  	uint8_t msg_data[4];
    91. 

  91. @@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    92. 

  92.  
    93. 

  93.  	finish = offset + length;
    94. 

  94.  	if (finish > fru->size) {
    95. 

  95. +		memset(frubuf + fru->size, 0, length - fru->size);
    96. 

  96.  		finish = fru->size;
    97. 

  97.  		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
    98. 

  98.  			"Adjusting to %d",
    99. 

  99.  			offset + length, finish - offset);
    100. 

  100. +		length = finish - offset;
    101. 

  101.  	}
    102. 

  102.  
    103. 

  103.  	memset(&req, 0, sizeof(req));
    104. 

  104. @@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    105. 

  105.  	if (fru->access && fru_data_rqst_size > 16)
    106. 

  106.  #endif
    107. 

  107.  		fru_data_rqst_size = 16;
    108. 

  108. +
    109. 

  109. +	size_left_in_buffer = length;
    110. 

  110.  	do {
    111. 

  111.  		tmp = fru->access ? off >> 1 : off;
    112. 

  112.  		msg_data[0] = id;
    113. 

  113. @@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
    114. 

  114.  		}
    115. 

  115.  
    116. 

  116.  		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
    117. 

  117. +		if(rsp->data_len < 1
    118. 

  118. +		   || tmp > rsp->data_len - 1
    119. 

  119. +		   || tmp > size_left_in_buffer)
    120. 

  120. +		{
    121. 

  121. +			printf(" Not enough buffer size");
    122. 

  122. +			return -1;
    123. 

  123. +		}
    124. 

  124.  		memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
    125. 

  125.  		off += tmp;
    126. 

  126. +		size_left_in_buffer -= tmp;
    127. 

  127.  
    128. 

  128.  		/* sometimes the size returned in the Info command
    129. 

  129.  		* is too large.  return 0 so higher level function
    130. 

  130. -- 
    131. 

  131. 2.20.1
    132. 

  132.