diff mbox series

[meta-oe,whinlatter,1/3] freeipmi: patch CVE-2026-33554

Message ID 20260420173903.1007089-1-skandigraun@gmail.com
State Under Review
Delegated to: Anuj Mittal
Headers show
Series [meta-oe,whinlatter,1/3] freeipmi: patch CVE-2026-33554 | expand

Commit Message

Gyorgy Sarvari April 20, 2026, 5:39 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33554

The advisory references 3 bugs, but they were fixed by the same commit.
The first bug[1] references the commit that was backported in this patch.

[1]: https://savannah.gnu.org/bugs/?68140

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../freeipmi/freeipmi/CVE-2026-33554.patch    | 92 +++++++++++++++++++
 .../freeipmi/freeipmi_1.6.16.bb               |  4 +-
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/freeipmi/freeipmi/CVE-2026-33554.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/freeipmi/freeipmi/CVE-2026-33554.patch b/meta-oe/recipes-support/freeipmi/freeipmi/CVE-2026-33554.patch
new file mode 100644
index 0000000000..7d3602f66b
--- /dev/null
+++ b/meta-oe/recipes-support/freeipmi/freeipmi/CVE-2026-33554.patch
@@ -0,0 +1,92 @@ 
+From 2270d652c4b05bd2ff9f95d4d103c194348d3fb9 Mon Sep 17 00:00:00 2001
+From: Albert Chu <chu11@llnl.gov>
+Date: Wed, 11 Mar 2026 11:06:37 -0700
+Subject: [PATCH] ipmi-oem: fix several memory out of bounds errors
+
+Found by Zhihan Zheng (chnzzh@outlook.com)
+
+CVE: CVE-2026-33554
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/freeipmi.git/diff/?h=freeipmi-1-6-0-stable&id=b03ca4d1bff4626c11db8684564b88cd26a2425d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ ipmi-oem/ipmi-oem-dell.c       | 12 +++++++++---
+ ipmi-oem/ipmi-oem-supermicro.c |  7 ++++++-
+ ipmi-oem/ipmi-oem-wistron.c    |  7 ++++++-
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/ipmi-oem/ipmi-oem-dell.c b/ipmi-oem/ipmi-oem-dell.c
+index 7fbc0c1..cf3bad2 100644
+--- a/ipmi-oem/ipmi-oem-dell.c
++++ b/ipmi-oem/ipmi-oem-dell.c
+@@ -7161,7 +7161,7 @@ ipmi_oem_dell_get_last_post_code (ipmi_oem_state_data_t *state_data)
+   uint8_t bytes_rq[IPMI_OEM_MAX_BYTES];
+   uint8_t bytes_rs[IPMI_OEM_MAX_BYTES];
+   uint8_t post_code;
+-  uint8_t string_length;
++  size_t string_length;
+   char post_code_string[IPMI_OEM_STR_BUFLEN + 1];
+   int rs_len;
+   int rv = -1;
+@@ -7216,10 +7216,16 @@ ipmi_oem_dell_get_last_post_code (ipmi_oem_state_data_t *state_data)
+     goto cleanup;
+ 
+   post_code = bytes_rs[2];
+-  string_length = bytes_rs[3];
++  string_length = (size_t)bytes_rs[3];
+ 
+   if (string_length)
+-    memcpy (post_code_string, &bytes_rs[4], string_length);
++    {
++      if (string_length > (size_t)(rs_len - 4))
++        string_length = rs_len - 4;
++      if (string_length > IPMI_OEM_STR_BUFLEN)
++        string_length = IPMI_OEM_STR_BUFLEN;
++      memcpy (post_code_string, &bytes_rs[4], string_length);
++    }
+ 
+   pstdout_printf (state_data->pstate,
+                   "Post Code %02Xh : %s\n",
+diff --git a/ipmi-oem/ipmi-oem-supermicro.c b/ipmi-oem/ipmi-oem-supermicro.c
+index 51b8397..01d6b11 100644
+--- a/ipmi-oem/ipmi-oem-supermicro.c
++++ b/ipmi-oem/ipmi-oem-supermicro.c
+@@ -129,7 +129,12 @@ ipmi_oem_supermicro_extra_firmware_info (ipmi_oem_state_data_t *state_data)
+   firmware_hardware_id = bytes_rs[18];
+ 
+   if (rs_len > 19)
+-    memcpy (firmware_tag, &bytes_rs[19], rs_len - 19);
++    {
++      size_t tag_len = (size_t)(rs_len - 19);
++      if (tag_len > IPMI_OEM_SUPERMICRO_STRING_MAX)
++        tag_len = IPMI_OEM_SUPERMICRO_STRING_MAX;
++      memcpy (firmware_tag, &bytes_rs[19], tag_len);
++    }
+ 
+   /* assume minor version is BCD, just like in Get Device ID command */
+   /* assume sub version is also BCD */
+diff --git a/ipmi-oem/ipmi-oem-wistron.c b/ipmi-oem/ipmi-oem-wistron.c
+index b182cf7..f705c94 100644
+--- a/ipmi-oem/ipmi-oem-wistron.c
++++ b/ipmi-oem/ipmi-oem-wistron.c
+@@ -3047,6 +3047,7 @@ ipmi_oem_wistron_read_proprietary_string (ipmi_oem_state_data_t *state_data)
+   char string[IPMI_OEM_WISTRON_PROPRIETARY_STRING_MAX + 1];
+   int rs_len;
+   int rv = -1;
++  size_t len;
+ 
+   assert (state_data);
+   assert (!state_data->prog_data->args->oem_options_count);
+@@ -3107,8 +3108,12 @@ ipmi_oem_wistron_read_proprietary_string (ipmi_oem_state_data_t *state_data)
+       goto cleanup;
+     }
+ 
++  len = (size_t)bytes_rs[3];
++  if (len > (size_t)(rs_len - 4))
++    len = rs_len - 4;
++
+   memset (string, '\0', IPMI_OEM_WISTRON_PROPRIETARY_STRING_MAX + 1);
+-  memcpy (string, &bytes_rs[4], bytes_rs[3]);
++  memcpy (string, &bytes_rs[4], len);
+ 
+   pstdout_printf (state_data->pstate,
+                   "%s\n",
diff --git a/meta-oe/recipes-support/freeipmi/freeipmi_1.6.16.bb b/meta-oe/recipes-support/freeipmi/freeipmi_1.6.16.bb
index f5be870b1d..eafa000f2c 100644
--- a/meta-oe/recipes-support/freeipmi/freeipmi_1.6.16.bb
+++ b/meta-oe/recipes-support/freeipmi/freeipmi_1.6.16.bb
@@ -13,7 +13,9 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
                     file://COPYING.pstdout;md5=d32239bcb673463ab874e80d47fae504 \
                     file://COPYING.sunbmc;md5=c03f21cd76ff5caba6b890d1213cbfbb"
 
-SRC_URI = "${GNU_MIRROR}/freeipmi/freeipmi-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/freeipmi/freeipmi-${PV}.tar.gz \
+           file://CVE-2026-33554.patch \
+           "
 SRC_URI[sha256sum] = "5bcef6bb9eb680e49b4a3623579930ace7899f53925b2045fe9f91ad6904111d"
 
 DEPENDS = "libgcrypt"