From bcc26a853c9577ad57c76a101290a43b447f5ef3 Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Wed, 28 Sep 2022 08:17:36 +0000 Subject: [PATCH] fix CVE-2022-30767 (cherry picked from commit b1332195842a6a122c8816b349955242acb75100) --- backport-CVE-2022-30767.patch | 44 +++++++++++++++++++++++++++++++++++ uboot-tools.spec | 6 ++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-30767.patch diff --git a/backport-CVE-2022-30767.patch b/backport-CVE-2022-30767.patch new file mode 100644 index 0000000..4f1a18f --- /dev/null +++ b/backport-CVE-2022-30767.patch @@ -0,0 +1,44 @@ +From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Mon Sep 17 00:00:00 2001 +From: Andrea zi0Black Cappa +Date: Wed, 18 May 2022 16:30:08 +0000 +Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196) + +This patch mitigates the vulnerability identified via CVE-2019-14196. + +The previous patch was bypassed/ineffective, and now the vulnerability +is identified via CVE-2022-30767. The patch removes the sanity check +introduced to mitigate CVE-2019-14196 since it's ineffective. +filefh3_length is changed to unsigned type integer, preventing negative +numbers from being used during comparison with positive values during +size sanity checks. + +Signed-off-by: Andrea zi0Black Cappa +--- + net/nfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/nfs.c b/net/nfs.c +index 3c01cebd96..9152ab742e 100644 +--- a/net/nfs.c ++++ b/net/nfs.c +@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT; + + static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ + static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ +-static int filefh3_length; /* (variable) length of filefh when NFSv3 */ ++static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ + + static enum net_loop_state nfs_download_state; + static struct in_addr nfs_server_ip; +@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) + filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); + if (filefh3_length > NFS3_FHSIZE) + filefh3_length = NFS3_FHSIZE; +- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) +- return -NFS_RPC_DROP; + memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); + } + +-- +GitLab + diff --git a/uboot-tools.spec b/uboot-tools.spec index aa26eb8..7cdd794 100644 --- a/uboot-tools.spec +++ b/uboot-tools.spec @@ -3,7 +3,7 @@ Name: uboot-tools Version: 2021.10 -Release: 6 +Release: 7 Summary: tools for U-Boot License: GPL-2.0-or-later and Public Domain and GPL-2.0-only URL: http://www.denx.de/wiki/U-Boot @@ -21,6 +21,7 @@ Patch6001: backport-AllWinner-PineTab.patch Patch6002: backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch Patch6003: backport-CVE-2022-34835.patch Patch6004: backport-CVE-2022-33967.patch +Patch6005: backport-CVE-2022-30767.patch BuildRequires: bc dtc gcc make flex bison git-core openssl-devel BuildRequires: python3-unversioned-command python3-devel python3-setuptools @@ -244,6 +245,9 @@ cp -p board/warp7/README builds/docs/README.warp7 %{_mandir}/man1/mkimage.1* %changelog +* Wed Sep 28 2022 zhouwenpei - 2021.10-7 +- fix CVE-2022-30767 + * Wed Jul 20 2022 cenhuilin - 2021.10-6 - fix CVE-2022-33967 -- Gitee