[kirkstone,v2,1/8] u-boot: Fix CVE-2022-30767

Message ID	20250219081819.926163-1-hongxu.jia@windriver.com
State	Under Review
Delegated to:	Steve Sakoman
Headers	show Return-Path: <hongxu.jia@eng.windriver.com> ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) From: Hongxu Jia <hongxu.jia@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [kirkstone][PATCH v2 1/8] u-boot: Fix CVE-2022-30767 Date: Wed, 19 Feb 2025 16:18:12 +0800 Message-ID: <20250219081819.926163-1-hongxu.jia@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[kirkstone,v2,1/8] u-boot: Fix CVE-2022-30767 \| expand [kirkstone,v2,1/8] u-boot: Fix CVE-2022-30767 [kirkstone,v2,2/8] u-boot: fix CVE-2022-2347 and CVE-2022-30790 [kirkstone,v2,3/8] u-boot: fix CVE-2024-57254 [kirkstone,v2,4/8] u-boot: fix CVE-2024-57255 [kirkstone,v2,5/8] u-boot: fix CVE-2024-57256 [kirkstone,v2,6/8] u-boot: fix CVE-2024-57257 [kirkstone,v2,7/8] u-boot: fix CVE-2024-57258 [kirkstone,v2,8/8] u-boot: fix CVE-2024-57259

Message ID

20250219081819.926163-1-hongxu.jia@windriver.com

State

Under Review

Delegated to:

Steve Sakoman

Headers

From: Hongxu Jia <hongxu.jia@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [kirkstone][PATCH v2 1/8] u-boot: Fix CVE-2022-30767
Date: Wed, 19 Feb 2025 16:18:12 +0800
Message-ID: <20250219081819.926163-1-hongxu.jia@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[kirkstone,v2,1/8] u-boot: Fix CVE-2022-30767 | expand

Commit Message

Hongxu Jia Feb. 19, 2025, 8:18 a.m. UTC

From: Carlos Dominguez <carlos.dominguez@windriver.com>

This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.

Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../u-boot/files/0001-CVE-2022-30767.patch    | 44 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot_2022.01.bb     |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch

diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
new file mode 100644
index 0000000000..aee7f05ab4
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch
@@ -0,0 +1,44 @@ 
+From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022
+From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Date: Tue, 14 Jun 2022 17:16:00 +0200
+Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
+
+This patch mitigates the vulnerability identified via CVE-2019-14196.
+The previous patch was bypassed/ineffective, and now the vulnerability
+is identified via CVE-2022-30767. The patch removes the sanity check
+introduced to mitigate CVE-2019-14196 since it's ineffective.
+filefh3_length is changed to unsigned type integer, preventing negative
+numbers from being used during comparison with positive values during
+size sanity checks.
+
+CVE: CVE-2019-14196
+
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80]
+Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>
+---
+ net/nfs.c |    4 +---
+ 1 file changed, 1 insertions(+), 3 deletions(-)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index 70d0e08bde..3003f54aac 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT;
+ 
+ static char dirfh[NFS_FHSIZE];	/* NFSv2 / NFSv3 file handle of directory */
+ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
+-static int filefh3_length;	/* (variable) length of filefh when NFSv3 */
++static unsigned int filefh3_length;	/* (variable) length of filefh when NFSv3 */
+ 
+ static enum net_loop_state nfs_download_state;
+ static struct in_addr nfs_server_ip;
+@@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
+ 		filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+ 		if (filefh3_length > NFS3_FHSIZE)
+ 			filefh3_length  = NFS3_FHSIZE;
+-		if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
+-			return -NFS_RPC_DROP;
+ 		memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
+ 	}
+ 
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c4cfcbca19..cd40ad1a7d 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -7,6 +7,7 @@  SRC_URI +=       " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
                    file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
                    file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
                    file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
+                   file://0001-CVE-2022-30767.patch \
                  "
 
 DEPENDS += "bc-native dtc-native python3-setuptools-native"

[kirkstone,v2,1/8] u-boot: Fix CVE-2022-30767

Commit Message

Patch