From patchwork Tue Feb 25 14:29:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57823 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FDA3C18E7C for ; Tue, 25 Feb 2025 14:30:12 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web11.9077.1740493805606542020 for ; Tue, 25 Feb 2025 06:30:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=aVwgFudx; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-220c4159f87so80996485ad.0 for ; Tue, 25 Feb 2025 06:30:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493805; x=1741098605; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BnG66/CZM8QfudBsICiL+00CUq777B7N1zux1dMytgQ=; b=aVwgFudx5o+lPy790WsAyFkmR1WNpci1IMKKUiJsgM924lbRk325I+LTDB5xjN9r5S aq8n6KgS1R+CJUM8c6e91JSh8uMaNIWUUgaTHS/VQUXQ0CY+jMXfOrUwHkOYiSmL4mSs luTOeCZzIWs7oFoRKhm7a9RUOMNW7gBgDZpbhiuoY4p9fd2GOVL+Z2LhnQH4xqu76owf 8jNlR6eIIqL96Diof9vVnxcGaPhrObH9HCIJTMfPNVoPDprYISxqDBmynvVeTZJvTiEj fk7h9m/LAPwFzCYHd7f5eWGfrj9X+un0WqgISz7ECMWU6y5Td87GOfEUrjAnGThSvGzG +gFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493805; x=1741098605; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BnG66/CZM8QfudBsICiL+00CUq777B7N1zux1dMytgQ=; b=nqNIDXTEUCZalbJFUSrNfmCvE9lDrrqPr5+yR9RVLkoEcK0JvrFbMW+qoeJdE4TGeX tdZAnNs76aKDb2NVBxydR9koCwuJLv5nAl5JTLPpsoQmohTur5PIoeoHjFfR5vGRHMC1 91nZqDs5uAf15233YGzKzKkEZMwu1pm2FkpEgEOFqFNx5CZS3bPxUiZacbIaBdtPm9+k 4/OeBvbSqb+3KRnPqWzF29VxbNCJi9iCTfOkKYtzyrq0mDsDzQgp8CfE+asFzv/UFQdU +++Ffn1cB8uB26VdR3ud0zPf+WCB7nph0cuWodMQKl7TO43+LXxJ8Z0RJVjmSVEaY4aP TnMg== X-Gm-Message-State: AOJu0YwsuFcn3J5356P7LBNsDhJqJ0CStkDPtML2aX0g5ipZud8LOW5+ 5Dfoh+KWV6jxOvgvJxz16dNG58RmYoQczjzORjJZEFpDZBpm90syi4cXtg3JDhOR240hIOS8ZyM / X-Gm-Gg: ASbGncsqkeooLEDzkSvy3y/qY5tp9w6Y9xiOtR61a6kUhhqhara74jgAdibUtX/VpSs QYEsE2sJcPUSp3XcCuNLesXqwJFXHnIhqRlPGbzBK+M4MkqYzZm3gVUM1v3l/ZT9AxZ8zLPt9WI G/Ml80O2m2ftTx8h9I7xx+pcfHBUko3LV63cjZElljT50NkuU8fR+G23Be6I+aGI//0FSFPnVUU c7FBji9Ju2QnQ5ng+g2/SmTGC5gIyLqlr7d/7deCC1bGM+Lzev8mmvN16Asj4ck0JodD8gqBJu7 lhGdSbvsA9xVC0iM/g== X-Google-Smtp-Source: AGHT+IGkGlRpnmL4iSXvBzuk5r6H06XAgLUI809+xO7Kn0LCp3M3fusMga+gZzzYGCvx3VPmx4hnKQ== X-Received: by 2002:a05:6a00:3cc4:b0:734:b8f:a425 with SMTP id d2e1a72fcca58-734791abe45mr5565894b3a.23.1740493804707; Tue, 25 Feb 2025 06:30:04 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:04 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/22] u-boot: Fix CVE-2022-30767 Date: Tue, 25 Feb 2025 06:29:36 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211886 From: Carlos Dominguez This patch mitigates the vulnerability identified via CVE-2019-14196. The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks. Signed-off-by: Carlos Dominguez Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- .../u-boot/files/0001-CVE-2022-30767.patch | 44 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch diff --git a/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch new file mode 100644 index 0000000000..aee7f05ab4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch @@ -0,0 +1,44 @@ +From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022 +From: Andrea zi0Black Cappa +Date: Tue, 14 Jun 2022 17:16:00 +0200 +Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196) + +This patch mitigates the vulnerability identified via CVE-2019-14196. +The previous patch was bypassed/ineffective, and now the vulnerability +is identified via CVE-2022-30767. The patch removes the sanity check +introduced to mitigate CVE-2019-14196 since it's ineffective. +filefh3_length is changed to unsigned type integer, preventing negative +numbers from being used during comparison with positive values during +size sanity checks. + +CVE: CVE-2019-14196 + +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80] +Signed-off-by: Andrea zi0Black Cappa +Signed-off-by: Carlos Dominguez +--- + net/nfs.c | 4 +--- + 1 file changed, 1 insertions(+), 3 deletions(-) + +diff --git a/net/nfs.c b/net/nfs.c +index 70d0e08bde..3003f54aac 100644 +--- a/net/nfs.c ++++ b/net/nfs.c +@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT; + + static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ + static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ +-static int filefh3_length; /* (variable) length of filefh when NFSv3 */ ++static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ + + static enum net_loop_state nfs_download_state; + static struct in_addr nfs_server_ip; +@@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) + filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); + if (filefh3_length > NFS3_FHSIZE) + filefh3_length = NFS3_FHSIZE; +- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) +- return -NFS_RPC_DROP; + memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); + } + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c4cfcbca19..cd40ad1a7d 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -7,6 +7,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \ file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ + file://0001-CVE-2022-30767.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57822 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40FAFC021BF for ; Tue, 25 Feb 2025 14:30:12 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.9017.1740493809560360519 for ; Tue, 25 Feb 2025 06:30:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Nw/sHHBi; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2230c74c8b6so20479295ad.0 for ; Tue, 25 Feb 2025 06:30:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493809; x=1741098609; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8H3d9mTzUJ6fHRXF/IVlzFljd95xJYHCM0SHeF6j5dg=; b=Nw/sHHBiHGPYGEYpIPD491jWBvD3WUkCoy6u3dzYEUFJgk6voL947E0Yz8XG9MF6EH 6SlAa3JgwDrt9jo45zN9n/Oq0GLzymgJYb2DzSEuHLPDc/1tfJso2MAP0IZcyFABqkXX fGw/ZqhAh8jusMRRPGF+MubceR9azpUvXKyq037UUn3QIBTFpypc+hYwnMQ01LG6lGJx CXIMGYRTagXYxzAjrImiGT4kgHIugzPbo1Rv0kuIz4lxrJKC4A3IUiNZZATHrDNt5L4R fMKmy892tFg9oYG/7yMAZo1iMlIz7rl3H1S5Uc8z70/7mqzmmnzXagrcjaaBhDl7hsTk uPnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493809; x=1741098609; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8H3d9mTzUJ6fHRXF/IVlzFljd95xJYHCM0SHeF6j5dg=; b=B7nyykG4oQSGGwsU91lWdwhzD7j7miq8uEINu4v1C1ZmIbaSYeD2xiCts7OibEuxKZ 4axbOTNNM0np72ZJT9Wb4d+iJMjAgv5BHK1hpLIF6MySJz9vn5/Rm8IK9eiB2+shyHPO 0sExk5NfVdLBAZVpcnH3QI/dQDtN1BclN1+Iqp3QzFWvx3t3oJNgIUpwqCYYm2M4Dajk gF00LWc/xpgXZr4ZQYENR7dO39J8Ut4a85irSYJJZZ3wpDY0GPbYViYezbLhZFudp9XY H4UE1m9/61LpBTzwOvr5W0ItnERiF7TEaMQjuKhKNL4ou1s5yEH4B6QGi0dpq80GmN6Z jgpQ== X-Gm-Message-State: AOJu0YxZkvVebB/cBsUTwJteIMpO4T3tMs8EZiyHrNKu8OTJXC4+sj7E RUCbGsFqHZt8xouVje+iR2qF4lPKQH5n25OY6TYUi4I3hBy8vrGv88hr/i/V/A/QRmrOlX96HYb N X-Gm-Gg: ASbGncuRXFQv0Yqc9AtZSD2zfDzIvBpUkp6QEhQYWWB1HgnMBpoiPRqqoOsrbaQ/Nwd gv/i/Uux8rm7tSvHft0t1c1EvCnSUs9u5LOLTGaHzVjrira++BYHYzUNUhoTT/gJ/FfBFrU5C50 4cKgDfwjYF8pfXAN6F4LJYzyci5jpf0aC1sCH2Ug5Qa51WgyvN49i3KthpSK0tQAn2UY7IHbgQS bhoD5iilIFirzj7S5XpzFOWRDJ0f1KLNJlnPSYW5YaGcl+vaZSKsY0mLbRWEobLmnAVmeXfOkxG Qoiq38DjGFAKooqhxQ== X-Google-Smtp-Source: AGHT+IE6Ivn+Cua5RaMKYCK79/x9axyVGfSYob6EmwB6p5RtHwvJfnstzAor3DLny94juk2YUvietg== X-Received: by 2002:a05:6a00:80e:b0:730:74f8:25c8 with SMTP id d2e1a72fcca58-73479109825mr4975611b3a.11.1740493808405; Tue, 25 Feb 2025 06:30:08 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:08 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/22] u-boot: fix CVE-2022-2347 and CVE-2022-30790 Date: Tue, 25 Feb 2025 06:29:37 -0800 Message-ID: <7a5220a4877cd4d3766728e8a3525c157b6167fb.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211887 From: Sakib Sajal Backport appropriate patches to fix CVE-2022-2347 and CVE-2022-30790. Signed-off-by: Sakib Sajal Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2022-2347_1.patch | 129 +++++++++++++++ .../u-boot/files/CVE-2022-2347_2.patch | 66 ++++++++ .../u-boot/files/CVE-2022-30790.patch | 149 ++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 + 4 files changed, 347 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch new file mode 100644 index 0000000000..34ee82c3a5 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch @@ -0,0 +1,129 @@ +From 9d2d2deabc49dbedf93a7192b25f55d9933fcede Mon Sep 17 00:00:00 2001 +From: Venkatesh Yadav Abbarapu +Date: Thu, 3 Nov 2022 09:37:48 +0530 +Subject: [PATCH 1/2] usb: gadget: dfu: Fix the unchecked length field + +DFU implementation does not bound the length field in USB +DFU download setup packets, and it does not verify that +the transfer direction. Fixing the length and transfer +direction. + +CVE-2022-2347 + +Signed-off-by: Venkatesh Yadav Abbarapu +Reviewed-by: Marek Vasut + +CVE: CVE-2022-2347 +Upstream-Status: Backport [fbce985e28eaca3af82afecc11961aadaf971a7e] +Signed-off-by: Sakib Sajal +--- + drivers/usb/gadget/f_dfu.c | 56 +++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 19 deletions(-) + +diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c +index 4bedc7d3a1..33ef62f8ba 100644 +--- a/drivers/usb/gadget/f_dfu.c ++++ b/drivers/usb/gadget/f_dfu.c +@@ -321,21 +321,29 @@ static int state_dfu_idle(struct f_dfu *f_dfu, + u16 len = le16_to_cpu(ctrl->wLength); + int value = 0; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + switch (ctrl->bRequest) { + case USB_REQ_DFU_DNLOAD: +- if (len == 0) { +- f_dfu->dfu_state = DFU_STATE_dfuERROR; +- value = RET_STALL; +- break; ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ if (len == 0) { ++ f_dfu->dfu_state = DFU_STATE_dfuERROR; ++ value = RET_STALL; ++ break; ++ } ++ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; ++ f_dfu->blk_seq_num = w_value; ++ value = handle_dnload(gadget, len); + } +- f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; +- f_dfu->blk_seq_num = w_value; +- value = handle_dnload(gadget, len); + break; + case USB_REQ_DFU_UPLOAD: +- f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; +- f_dfu->blk_seq_num = 0; +- value = handle_upload(req, len); ++ if (ctrl->bRequestType == USB_DIR_IN) { ++ f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; ++ f_dfu->blk_seq_num = 0; ++ value = handle_upload(req, len); ++ if (value >= 0 && value < len) ++ f_dfu->dfu_state = DFU_STATE_dfuIDLE; ++ } + break; + case USB_REQ_DFU_ABORT: + /* no zlp? */ +@@ -424,11 +432,15 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, + u16 len = le16_to_cpu(ctrl->wLength); + int value = 0; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + switch (ctrl->bRequest) { + case USB_REQ_DFU_DNLOAD: +- f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; +- f_dfu->blk_seq_num = w_value; +- value = handle_dnload(gadget, len); ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; ++ f_dfu->blk_seq_num = w_value; ++ value = handle_dnload(gadget, len); ++ } + break; + case USB_REQ_DFU_ABORT: + f_dfu->dfu_state = DFU_STATE_dfuIDLE; +@@ -511,13 +523,17 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, + u16 len = le16_to_cpu(ctrl->wLength); + int value = 0; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + switch (ctrl->bRequest) { + case USB_REQ_DFU_UPLOAD: +- /* state transition if less data then requested */ +- f_dfu->blk_seq_num = w_value; +- value = handle_upload(req, len); +- if (value >= 0 && value < len) +- f_dfu->dfu_state = DFU_STATE_dfuIDLE; ++ if (ctrl->bRequestType == USB_DIR_IN) { ++ /* state transition if less data then requested */ ++ f_dfu->blk_seq_num = w_value; ++ value = handle_upload(req, len); ++ if (value >= 0 && value < len) ++ f_dfu->dfu_state = DFU_STATE_dfuIDLE; ++ } + break; + case USB_REQ_DFU_ABORT: + f_dfu->dfu_state = DFU_STATE_dfuIDLE; +@@ -593,6 +609,8 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl) + int value = 0; + u8 req_type = ctrl->bRequestType & USB_TYPE_MASK; + ++ len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len; ++ + debug("w_value: 0x%x len: 0x%x\n", w_value, len); + debug("req_type: 0x%x ctrl->bRequest: 0x%x f_dfu->dfu_state: 0x%x\n", + req_type, ctrl->bRequest, f_dfu->dfu_state); +@@ -612,7 +630,7 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl) + value = dfu_state[f_dfu->dfu_state] (f_dfu, ctrl, gadget, req); + + if (value >= 0) { +- req->length = value; ++ req->length = value > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : value; + req->zero = value < len; + value = usb_ep_queue(gadget->ep0, req, 0); + if (value < 0) { +-- +2.32.0 + diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch new file mode 100644 index 0000000000..708c7923d2 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch @@ -0,0 +1,66 @@ +From 0f465b3e81baa095b62a154a739c5378285526db Mon Sep 17 00:00:00 2001 +From: Hugo SIMELIERE +Date: Wed, 30 Nov 2022 09:29:16 +0100 +Subject: [PATCH 2/2] usb: gadget: dfu: Fix check of transfer direction + +Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 +blocks DFU usb requests. +The verification of the transfer direction was done by an equality +but it is a bit mask. + +Signed-off-by: Hugo SIMELIERE +Reviewed-by: Fabio Estevam +Reviewed-by: Sultan Qasim Khan +Reviewed-by: Marek Vasut +Tested-by: Marek Vasut + +CVE: CVE-2022-2347 +Upstream-Status: Backport [14dc0ab138988a8e45ffa086444ec8db48b3f103] +Signed-off-by: Sakib Sajal +--- + drivers/usb/gadget/f_dfu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c +index 33ef62f8ba..44877df4ec 100644 +--- a/drivers/usb/gadget/f_dfu.c ++++ b/drivers/usb/gadget/f_dfu.c +@@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, + + switch (ctrl->bRequest) { + case USB_REQ_DFU_DNLOAD: +- if (ctrl->bRequestType == USB_DIR_OUT) { ++ if (!(ctrl->bRequestType & USB_DIR_IN)) { + if (len == 0) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; +@@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, + } + break; + case USB_REQ_DFU_UPLOAD: +- if (ctrl->bRequestType == USB_DIR_IN) { ++ if (ctrl->bRequestType & USB_DIR_IN) { + f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; + f_dfu->blk_seq_num = 0; + value = handle_upload(req, len); +@@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, + + switch (ctrl->bRequest) { + case USB_REQ_DFU_DNLOAD: +- if (ctrl->bRequestType == USB_DIR_OUT) { ++ if (!(ctrl->bRequestType & USB_DIR_IN)) { + f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; + f_dfu->blk_seq_num = w_value; + value = handle_dnload(gadget, len); +@@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, + + switch (ctrl->bRequest) { + case USB_REQ_DFU_UPLOAD: +- if (ctrl->bRequestType == USB_DIR_IN) { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* state transition if less data then requested */ + f_dfu->blk_seq_num = w_value; + value = handle_upload(req, len); +-- +2.32.0 + diff --git a/meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch b/meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch new file mode 100644 index 0000000000..e67cf391a8 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch @@ -0,0 +1,149 @@ +From 1817c3824a08bbad7fd2fbae1a6e73be896e8e5e Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Fri, 14 Oct 2022 19:43:39 +0200 +Subject: [PATCH] net: (actually/better) deal with CVE-2022-{30790,30552} + +I hit a strange problem with v2022.10: Sometimes my tftp transfer +would seemingly just hang. It only happened for some files. Moreover, +changing tftpblocksize from 65464 to 65460 or 65000 made it work again +for all the files I tried. So I started suspecting it had something to +do with the file sizes and in particular the way the tftp blocks get +fragmented and reassembled. + +v2022.01 showed no problems with any of the files or any value of +tftpblocksize. + +Looking at what had changed in net.c or tftp.c since January showed +only one remotely interesting thing, b85d130ea0ca. + +So I fired up wireshark on my host to see if somehow one of the +packets would be too small. But no, with both v2022.01 and v2022.10, +the exact same sequence of packets were sent, all but the last of size +1500, and the last being 1280 bytes. + +But then it struck me that 1280 is 5*256, so one of the two bytes +on-the-wire is 0 and the other is 5, and when then looking at the code +again the lack of endianness conversion becomes obvious. [ntohs is +both applied to ip->ip_off just above, as well as to ip->ip_len just a +little further down when the "len" is actually computed]. + +IOWs the current code would falsely reject any packet which happens to +be a multiple of 256 bytes in size, breaking tftp transfers somewhat +randomly, and if it did get one of those "malicious" packets with +ip_len set to, say, 27, it would be seen by this check as being 6912 +and hence not rejected. + +==== + +Now, just adding the missing ntohs() would make my initial problem go +away, in that I can now download the file where the last fragment ends +up being 1280 bytes. But there's another bug in the code and/or +analysis: The right-hand side is too strict, in that it is ok for the +last fragment not to have a multiple of 8 bytes as payload - it really +must be ok, because nothing in the IP spec says that IP datagrams must +have a multiple of 8 bytes as payload. And comments in the code also +mention this. + +To fix that, replace the comparison with <= IP_HDR_SIZE and add +another check that len is actually a multiple of 8 when the "more +fragments" bit is set - which it necessarily is for the case where +offset8 ends up being 0, since we're only called when + + (ip_off & (IP_OFFS | IP_FLAGS_MFRAG)). + +==== + +So, does this fix CVE-2022-30790 for real? It certainly correctly +rejects the POC code which relies on sending a packet of size 27 with +the MFRAG flag set. Can the attack be carried out with a size 27 +packet that doesn't set MFRAG (hence must set a non-zero fragment +offset)? I dunno. If we get a packet without MFRAG, we update +h->last_byte in the hole we've found to be start+len, hence we'd enter +one of + + if ((h >= thisfrag) && (h->last_byte <= start + len)) { + +or + + } else if (h->last_byte <= start + len) { + +and thus won't reach any of the + + /* overlaps with initial part of the hole: move this hole */ + newh = thisfrag + (len / 8); + + /* fragment sits in the middle: split the hole */ + newh = thisfrag + (len / 8); + +IOW these division are now guaranteed to be exact, and thus I think +the scenario in CVE-2022-30790 cannot happen anymore. + +==== + +However, there's a big elephant in the room, which has always been +spelled out in the comments, and which makes me believe that one can +still cause mayhem even with packets whose payloads are all 8-byte +aligned: + + This code doesn't deal with a fragment that overlaps with two + different holes (thus being a superset of a previously-received + fragment). + +Suppose each character below represents 8 bytes, with D being already +received data, H being a hole descriptor (struct hole), h being +non-populated chunks, and P representing where the payload of a just +received packet should go: + + DDDHhhhhDDDDHhhhDDDD + PPPPPPPPP + +I'm pretty sure in this case we'd end up with h being the first hole, +enter the simple + + } else if (h->last_byte <= start + len) { + /* overlaps with final part of the hole: shorten this hole */ + h->last_byte = start; + +case, and thus in the memcpy happily overwrite the second H with our +chosen payload. This is probably worth fixing... + +Signed-off-by: Rasmus Villemoes + +CVE: CVE-2022-30790 +Upstream-Status: Backport [1817c3824a08bbad7fd2fbae1a6e73be896e8e5e] +Signed-off-by: Sakib Sajal +--- + net/net.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/net.c b/net/net.c +index 434c3b411e..987c25931e 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -924,7 +924,11 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) + int offset8, start, len, done = 0; + u16 ip_off = ntohs(ip->ip_off); + +- if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE) ++ /* ++ * Calling code already rejected <, but we don't have to deal ++ * with an IP fragment with no payload. ++ */ ++ if (ntohs(ip->ip_len) <= IP_HDR_SIZE) + return NULL; + + /* payload starts after IP header, this fragment is in there */ +@@ -934,6 +938,10 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) + start = offset8 * 8; + len = ntohs(ip->ip_len) - IP_HDR_SIZE; + ++ /* All but last fragment must have a multiple-of-8 payload. */ ++ if ((len & 7) && (ip_off & IP_FLAGS_MFRAG)) ++ return NULL; ++ + if (start + len > IP_MAXUDP) /* fragment extends too far */ + return NULL; + +-- +2.25.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index cd40ad1a7d..62ebe40cb6 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -8,6 +8,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \ file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \ file://0001-CVE-2022-30767.patch \ + file://CVE-2022-30790.patch \ + file://CVE-2022-2347_1.patch \ + file://CVE-2022-2347_2.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57821 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FD2FC021BB for ; Tue, 25 Feb 2025 14:30:12 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.9082.1740493810752737043 for ; Tue, 25 Feb 2025 06:30:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=QZSu+YX3; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-22101839807so13944145ad.3 for ; Tue, 25 Feb 2025 06:30:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493810; x=1741098610; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nTH/Ib25q07PalQs1aAwGCYQk7kBmk6bFjKNFCk9mxU=; b=QZSu+YX3ujX5g9UqWGAr5VRF5lw1V+DsKUtUy4pRygtKopPaw16PgRflvDzLR8jp6z qjD8YmDkVpIrSNmO+yEiwBtmNFy6aZuL4bPxz7PHl8vTqzhFn7Ay9fqjX16Z3uH5BaOE V3TSNyKWJWs2TpYApH3R/WSEcV0HWEqmieEs6Typ+SqY3cZzaetmrD5QTFJX+Juyf0UU Eq+svgLxYa9rfAz743kS9gpRa1yT7pi6qvzj5Cyxc1Bk7+FSN06HS1m8F3epIiIDYUK6 nrrwUB0KT9jeFhZTpLwjHSxYOm0fl2EAKpGFPTs0/YHTbBd4dnIDE8n3cDZQdQu4uFR8 dhkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493810; x=1741098610; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nTH/Ib25q07PalQs1aAwGCYQk7kBmk6bFjKNFCk9mxU=; b=bzWb2C1D3szmiX9cU9jnfHjZS6C4xbmPdaWleuaEH6ni8Tnrppaac3vG0mQkV4yUBr 0IUcBitN77HIlkCymSbDjtdk95nOV0ZWmbaN99WDfMJSIe9jdbnLi33ZpRjPmm7YDj6l Zcaom75ZHl7cPLD+havGyousNANPtcWKfQQ+IPbZz0duchuj3Y8b344IMmgozfc4GzH3 dsOChqereq+k/S7C59Dc3U+P7y4omUBGdQrgQKUpZ/hkzsZwsIwBnFScdE+a2TxPzN3B Rp6jhh1jd+Bty7KfYP9sBLMUziXO/yAuvrx59G4Wj8DO1Ho+5+jVGmUg/rpJbC45dS2I KiiQ== X-Gm-Message-State: AOJu0YxqG9pojfVVo3d65dtExrDGK2IP9xz+Yh3WRGgEy1+C4TvHpmb1 QpihbbwiSZjrzspdftnA3EQHqUhfwH2mMmkRy+k5xI9vURekOkDKW4Fd3bxcgmFrM0uiC6f4J+u 9 X-Gm-Gg: ASbGnct2TC9IUEwHWfRHU4JC7KLTLNTmde2pZ003H5V61Gc5Fn3oomHA0FXKlumkv7M /XpApT2t6OrC8DPtkujpZHhiIjAg6EYs85fDI46rAkHdEUSO0h0gUXWWxE1+hLqM8YAeOks9siD 8E/CYNAYhVI9tDxT1JXvjU+1OPIoM98tmw7yp1nasktc9ZtfyaY0GSfgE5TsFfd0YV/DMEF9fMV 5YHOWomMxk8Lb+Tkde221fhNMk98eR/7oOP9/tPPcDK0yaygKFcCQId/RQBgwjWVuHCQEhZg2H5 tecKn5Pes51sAaXo1w== X-Google-Smtp-Source: AGHT+IHcEv2IOONnaX1TdRazMVceUjwEmvd03wFyEd2aksMy4Vd4TnR+9Pij8D9/m1vOQ5X+/UbLuA== X-Received: by 2002:a05:6a00:2d87:b0:732:1bad:e245 with SMTP id d2e1a72fcca58-73426cab1ecmr28091253b3a.7.1740493809974; Tue, 25 Feb 2025 06:30:09 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:09 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/22] u-boot: fix CVE-2024-57254 Date: Tue, 25 Feb 2025 06:29:38 -0800 Message-ID: <956836ab347e9112be0f8892b1b82c4bcb17990c.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211888 From: Hongxu Jia An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://nvd.nist.gov/vuln/detail/CVE-2024-57254 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57254.patch | 47 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch new file mode 100644 index 0000000000..be00121224 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch @@ -0,0 +1,47 @@ +From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 18:36:45 +0200 +Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size() + +A carefully crafted squashfs filesystem can exhibit an extremly large +inode size and overflow the calculation in sqfs_inode_size(). +As a consequence, the squashfs driver will read from wrong locations. + +Fix by using __builtin_add_overflow() to detect the overflow. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57254 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs_inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c +index d25cfb53..bb3ccd37 100644 +--- a/fs/squashfs/sqfs_inode.c ++++ b/fs/squashfs/sqfs_inode.c +@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) + + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: { ++ int size; ++ + struct squashfs_symlink_inode *symlink = + (struct squashfs_symlink_inode *)inode; + +- return sizeof(*symlink) + +- get_unaligned_le32(&symlink->symlink_size); ++ if (__builtin_add_overflow(sizeof(*symlink), ++ get_unaligned_le32(&symlink->symlink_size), &size)) ++ return -EINVAL; ++ ++ return size; + } + + case SQFS_BLKDEV_TYPE: +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 62ebe40cb6..d9c6fcb993 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-30790.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ + file://CVE-2024-57254.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57825 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25888C021BB for ; Tue, 25 Feb 2025 14:30:22 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.9084.1740493812711932265 for ; Tue, 25 Feb 2025 06:30:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sGIoCpvp; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2211acda7f6so127619605ad.3 for ; Tue, 25 Feb 2025 06:30:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493812; x=1741098612; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fZv6ACgAaiSrj415nBbTglZgadnbuPvpJzvUVp4gsnY=; b=sGIoCpvphDzxZ48bGMw88WOuDPlYAMTlRM5CF9XMhFcynWPWfcJsKu/Fk2L4vIjyRU MLCD5kWdVIW4kODlwXpeauNgHYiHAxXN6U2QPML0bjoqG84Ijxg18KiftDDOzaXsCCCl bkEeW/qsVsT4rDnbzy6qEAHgYGM28Q42PLEtGDMYruA/N6I26uIIpBlbMo9TqnaRUrI+ Xx5+tlC++zMaIrCT8ETT+EhcvJ5vhToTlmTaG9leYSrMPTmTUuytqRdKq0N8pM69u1mY IYtaJcQNPiUgJ1sDWCpVhu/6wVNWy6E0i7Sf5Mf88QhPjWBVW9/BWYNSCzhbK8zFW07v 7bIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493812; x=1741098612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fZv6ACgAaiSrj415nBbTglZgadnbuPvpJzvUVp4gsnY=; b=HCNw378Ab69T4vyC0MzZoMfHlj1kVEg0d/7ujxqPBB7VAiVpVi1BFI2cA1jY0KxSgP tSGR90nxg5aiwmWP2irhCI0UtHYEQ0K+ZURWbpZ1qv+L+wdM7WOfv3uGWJE3z6jCdQJh IAsKQ0HIeQQaAuTTfIGLrPGUg3oJfbHue09FaZqNqcKfn/jOnTkIodkPcBNLO0ovx6PD 0gGKQQi5VP8albI3eR27Yha6sEpPkGWXni1cqc9lGdKMkoRtpoe0AkJlW2q7ZfHTwz/Z CP4dmKlFGMZ5WBBLAf4LSlMVKaZVRg0dEAmpDCU/mY98/x2+7xh446/rRxeqFxv/R7Ss J/Ng== X-Gm-Message-State: AOJu0Yz6URnhsll8FiqBJ1Zw929s7pmxaToq97bpZJwnIft+T4CgKpK4 w4e44STLK5bYce89QjtqIQf7HHr6iTGicqabYE4yk5VyA7YTb2tCVyHdw6fWaFGkSfj248Eg1ZE M X-Gm-Gg: ASbGncsrHrsBS4zbVF0PDKx4tUYYJF4LKewmbeQ5IUcsrVS3JH0bkZR8R6lcg/1xL9Z 1FTaX8npMsqWvft3NrcPPcDPwG1+XODBgGPo/wzrdCOFF0eFCUdjnYaqdlm1ZcYxcOsp5fVT4pV mVEIHJE0RzlwBddiV91kzb5b7RExstzeTY4J5r6F08A/EKQo91gihuP7KKK/WKc3Z0HmZ/Nr6dG 4w5QmyvxsjTK0IH6xvRHmH3ROKxW9hRcFiu/fIaPFvgRH0T1DCfbztuoWlAHy4LKQU3Lsa1pXZ5 8DLORqlFnWhhsOhtnA== X-Google-Smtp-Source: AGHT+IGb8+s0e7SQ8cR+xt+F0oig4BE8gsJbCwWjjcEBk/3Kn9JkhYKu85I606HoVK1y0+j7tY12sQ== X-Received: by 2002:a05:6a00:92aa:b0:732:2923:b70f with SMTP id d2e1a72fcca58-73426ceba49mr26178391b3a.11.1740493811623; Tue, 25 Feb 2025 06:30:11 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:11 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/22] u-boot: fix CVE-2024-57255 Date: Tue, 25 Feb 2025 06:29:39 -0800 Message-ID: <687b6e0a166d7dc999b7d226a9bd68155f59a03a.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211889 From: Hongxu Jia An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57255 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57255.patch | 53 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch new file mode 100644 index 0000000000..4ca72da554 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch @@ -0,0 +1,53 @@ +From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 18:36:44 +0200 +Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink() + +A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, +as a consequence malloc() will do a zero allocation. +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57255 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 1430e671..16a07c06 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + char *resolved, *target; + u32 sz; + +- sz = get_unaligned_le32(&sym->symlink_size); +- target = malloc(sz + 1); ++ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) ++ return NULL; ++ ++ target = malloc(sz); + if (!target) + return NULL; + +@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + * There is no trailling null byte in the symlink's target path, so a + * copy is made and a '\0' is added at its end. + */ +- target[sz] = '\0'; ++ target[sz - 1] = '\0'; + /* Get target name (relative path) */ +- strncpy(target, sym->symlink, sz); ++ strncpy(target, sym->symlink, sz - 1); + + /* Relative -> absolute path conversion */ + resolved = sqfs_get_abs_path(base_path, target); +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index d9c6fcb993..cfe36256f3 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -12,6 +12,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ file://CVE-2024-57254.patch \ + file://CVE-2024-57255.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57829 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5000EC19778 for ; Tue, 25 Feb 2025 14:30:22 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.9023.1740493814467814936 for ; Tue, 25 Feb 2025 06:30:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0nfGczqK; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-220d28c215eso88055245ad.1 for ; Tue, 25 Feb 2025 06:30:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493814; x=1741098614; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tVTFiAxU8ESXH6WNakAI+4VvCK0G8wpO/RDY8YUY/Jc=; b=0nfGczqKkBjESYmumNlBZl8xnQDRh5K8o3Ae0vYPiNvzQmjIn5eFO8oRdf9rtOWKss HPpeqOwb6uXxIPBauybolBSp3R2NpF3yORA679yw+PavbvBpLYuFK2QVPKfdBCN3avTk hUeYXvlhw6gyrMah2STWe7Wlj7ptpfFQJlnmtfL6VV85aPry5w7CW2VOrHSH++lGVqbd XrlYilMUQ/XOGMSUcglzyoWZxwmjRve93QAL8V+AkBVV4OFz60ep4VEgIdGkyZYewRE3 vCA7sYaIvCgLH++H8R5NxF0SEkrkyGCpiuBNlfpPRsYMnQGaSGs8usCKhIPObcNvg8nF buRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493814; x=1741098614; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tVTFiAxU8ESXH6WNakAI+4VvCK0G8wpO/RDY8YUY/Jc=; b=hg8cWmypHU8FlGE1TNX2JjvPcxdnk73cjGkGTUnrKrqU7hS0la/Um+Y50HqF2qcjLU ttC/tvptoWH3XPrz1mJoHajY4vOkZVKEb6PL3EE/N5yxmDygvky+2EvZESCGXFC++S20 RWCWKYzQqU/RZ63VdK7qErlLbHizUhVLT1R9p7GaUFfWEpky7V17WCg5N1k54U9QNDQZ xRFjdK+/6b0kUWBcC/5Gu8/hXv/gI5UH6nfWWXN6PhUl5lTkmhnek8sjk8PJ66QKc4sl RhEnZjICr39Bro+29f7tX2mHnAJ+BvUi/ZkQT3VfhAUdnIS/HVVIkeb8tEYkQ4zhr0gu Sn6g== X-Gm-Message-State: AOJu0YwWL39vSgCGmHnh1AeCVj/QZ90w0gyhZWBgEOr59a0/Dq3lr6S+ mCgJWw6DxsWwYTZnweTOYr7Vz5j3/XUJTvhqLqVRtzda8U55whckB9wPgzDRG/zf8JiHSrZIFYX W X-Gm-Gg: ASbGnctGd36dIDAnDNLWNH2/u6sVPitEc1lyOk+DIuViNRzJ3hkXvvzXIRhSwXddN8D sj4zzUomYdpcJpPQqG53n20VXmQ0FtHdztIYf1OsVpjfEwPIDy/e/tIcnE+JOKV+4TIn0JQoZ7H zvLZVZZKIHLi3VznU7ilL35FSCON4FZtUmKSAoyZEXefm3AIA/Ea+cuVec1K+MSk5ZImaCCVbNM 6Q2ofvQPiWfs9lgXObqKkN6XbmzeTIBzUSBzdokRA0qjSGVYKOKGOUHcxQGFFesr361hh72lUP1 B40hwgxb2pioQNOvZQ== X-Google-Smtp-Source: AGHT+IHE2qkFtEDM6CjJiOPvc9yTeHeCHP1Ze0D516G9uB1gazdrQXe1BivIvJfIdI4r2JSkl24wfw== X-Received: by 2002:a05:6a00:1145:b0:730:74f8:25b6 with SMTP id d2e1a72fcca58-734790c8c32mr5306675b3a.6.1740493813534; Tue, 25 Feb 2025 06:30:13 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:13 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/22] u-boot: fix CVE-2024-57256 Date: Tue, 25 Feb 2025 06:29:40 -0800 Message-ID: <534aa63726f31241e3a9d4aa70d4005fa0300133.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211890 From: Hongxu Jia An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57256 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57256.patch | 51 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch new file mode 100644 index 0000000000..78cf4ac225 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch @@ -0,0 +1,51 @@ +From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 9 Aug 2024 11:54:28 +0200 +Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink() + +While zalloc() takes a size_t type, adding 1 to the le32 variable +will overflow. +A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff +and as consequence zalloc() will do a zero allocation. + +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. + +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger + +CVE: CVE-2024-57256 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9] +Signed-off-by: Hongxu Jia +--- + fs/ext4/ext4_common.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c +index f50de7c0..a7798296 100644 +--- a/fs/ext4/ext4_common.c ++++ b/fs/ext4/ext4_common.c +@@ -2188,13 +2188,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node) + struct ext2fs_node *diro = node; + int status; + loff_t actread; ++ size_t alloc_size; + + if (!diro->inode_read) { + status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode); + if (status == 0) + return NULL; + } +- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1); ++ ++ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size)) ++ return NULL; ++ ++ symlink = zalloc(alloc_size); + if (!symlink) + return NULL; + +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index cfe36256f3..c643fb35f3 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -13,6 +13,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-2347_2.patch \ file://CVE-2024-57254.patch \ file://CVE-2024-57255.patch \ + file://CVE-2024-57256.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57826 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25852C021B2 for ; Tue, 25 Feb 2025 14:30:22 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.9024.1740493815942108722 for ; Tue, 25 Feb 2025 06:30:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WoMKxuQq; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-220c4159f87so81004145ad.0 for ; Tue, 25 Feb 2025 06:30:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493815; x=1741098615; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MEmRfOitrW5j4M7w/M7C34sZ5wZsq+JME8yhVLYODMw=; b=WoMKxuQqU6vEesLK0E4jamwgUURfhocDpK4ixbHGp0ipEfbrOSGMOcGbElxi+R+VMg dFs2I/Utp1KMHnChPdq4H1/b7FEL6gh6YlOA8Ky5r2Z7kywgPqrqn8XXW/VSFWt3cBSl EU5VLHeUjGROWxcq9NgEuQoG5AwDBpG6qZ7T3p0QthxiU6FQs7jO66RhhWMwrSvalukB jSURMQeX459BJYz/ZkuePcUCZ63Ef9lOKNHiKFHxceIPiom1m1Q7wqaLzjjVd8l/VUrF aqlR1hfxyFu9Wp79mdQi7PBgI06PXf//V216QGQxJgKvxZ3ST8TYTwAim09WcvJFEQkL 1CTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493815; x=1741098615; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MEmRfOitrW5j4M7w/M7C34sZ5wZsq+JME8yhVLYODMw=; b=YtNicD89/igS0Q0IsShZrTa+DOsViERHjSE3Fbgr2bE5ymknuTE8/Noqxr1q9D0sq8 /Yj/ZTGMceeUtZfbpO/WNHKMKigOIT6iN9kY12DrczH2Sp2nYtXzUVcZDeIEayIbTTZ5 HadpPKhWFck7UPZIOqYrXxtA69BHtds885DQ2wjEdaJRq45E4TZ63DE4qGhPnV+dHjgG FQ4ycdhlXwlCZiJNLGB1T+YQFrY/YjiW7IhyafkuvY8dxnptjD2BhuH+HdOq8reO3GwF LKvlI25AeEDffnJz0HAIKciSESALcXsDsBf89rKyg2Fz2CyeXUzTDcccDKaaxKf7Gvcn vDKQ== X-Gm-Message-State: AOJu0YxBcRDZf0ShnmaHoXlfTG6pDphvyYYzL3/gNWPfDo0H5OJwEDVj J/bjIasKK7fLbVMOchX9rr1fpj+XfU0K/K6cK+zljmMq/nlliVEUKNo2pyvm4149qcwF2NYW8om q X-Gm-Gg: ASbGncuYJDNgrXgZAThb8ROgZ+1xlPXiyhz654uji8zYLaps9v+p0bhyZ9iE33aSLpQ WKTQT2ho/O5wYkrvDlLqlTEdH2yniUzzReatlUkOVL6vLtxgFf5iaW/dcHDejTFcrEG/j064jxn eGabBX/NSRKNk8Ts4jXEAauWiDz3lWAwfzjj2pmK8PM5dnc4Cu8tMPMT593QgOru6kXTWNMSONb 4MHaLGFjKe/R6Awzx2Ok1jhHrwqT4qOeDBTEoosoQMznVakxQtXe4zhi+gM7cOI8sCBcgIdoJmP 3wqvvAJFKh08rt5D/Q== X-Google-Smtp-Source: AGHT+IHimQ83N5m8ztPrB9ThLuQg1V2YQ+PwHJQCIQkFDTx0wbQzlAoT4Ik1uUOrrLEL0E77HunPnw== X-Received: by 2002:a05:6a21:3403:b0:1f0:e3f3:e533 with SMTP id adf61e73a8af0-1f0fc24b3camr6671903637.24.1740493815069; Tue, 25 Feb 2025 06:30:15 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:14 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/22] u-boot: fix CVE-2024-57257 Date: Tue, 25 Feb 2025 06:29:41 -0800 Message-ID: <5ed8ad78bcce836aa8894de7a1d7fdf719e5bbca.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211891 From: Hongxu Jia A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting. https://nvd.nist.gov/vuln/detail/CVE-2024-57257 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57257.patch | 228 ++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch new file mode 100644 index 0000000000..5b6cbb8cad --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch @@ -0,0 +1,228 @@ +From 790a2005e7a44dba059f5dbf1b9eff3a13e9b5e7 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Wed, 19 Feb 2025 15:51:53 +0800 +Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving + +The squashfs driver blindly follows symlinks, and calls sqfs_size() +recursively. So an attacker can create a crafted filesystem and with +a deep enough nesting level a stack overflow can be achieved. + +Fix by limiting the nesting level to 8. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57257 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34] + +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 61 insertions(+), 15 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 7f2af8e1f9..09c0911689 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -24,7 +24,12 @@ + #include "sqfs_filesystem.h" + #include "sqfs_utils.h" + ++#define MAX_SYMLINK_NEST 8 ++ + static struct squashfs_ctxt ctxt; ++static int symlinknest; ++ ++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp); + + static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf) + { +@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + goto out; + } + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, token_list[j]); + if (!ret) + break; +@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + + /* Check for symbolic link and inode type sanity */ + if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) { ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ ret = -ELOOP; ++ goto out; ++ } ++ + sym = (struct squashfs_symlink_inode *)table; + /* Get first j + 1 tokens */ + path = sqfs_concat_tokens(token_list, j + 1); +@@ -872,7 +882,7 @@ out: + return metablks_count; + } + +-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp) ++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp) + { + unsigned char *inode_table = NULL, *dir_table = NULL; + int j, token_count = 0, ret = 0, metablks_count; +@@ -967,7 +977,19 @@ out: + return ret; + } + ++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp) ++{ ++ symlinknest = 0; ++ return sqfs_opendir_nest(filename, dirsp); ++} ++ + int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) ++{ ++ symlinknest = 0; ++ return sqfs_readdir_nest(fs_dirs, dentp); ++} ++ ++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + { + struct squashfs_super_block *sblk = ctxt.sblk; + struct squashfs_dir_stream *dirs; +@@ -1311,8 +1333,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg, + return datablk_count; + } + +-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, +- loff_t *actread) ++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset, ++ loff_t len, loff_t *actread) + { + char *dir = NULL, *fragment_block, *datablock = NULL, *data_buffer = NULL; + char *fragment = NULL, *file = NULL, *resolved, *data; +@@ -1342,11 +1364,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + } + + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ + sqfs_split_path(&file, &dir, filename); +- ret = sqfs_opendir(dir, &dirsp); ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + goto out; + } +@@ -1354,7 +1376,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + dirs = (struct squashfs_dir_stream *)dirsp; + + /* For now, only regular files are able to be loaded */ +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1403,9 +1425,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + break; + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ ret = -ELOOP; ++ goto out; ++ } ++ + symlink = (struct squashfs_symlink_inode *)ipos; + resolved = sqfs_resolve_symlink(symlink, filename); +- ret = sqfs_read(resolved, buf, offset, len, actread); ++ ret = sqfs_read_nest(resolved, buf, offset, len, actread); + free(resolved); + goto out; + case SQFS_BLKDEV_TYPE: +@@ -1579,7 +1606,14 @@ out: + return ret; + } + +-int sqfs_size(const char *filename, loff_t *size) ++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, ++ loff_t *actread) ++{ ++ symlinknest = 0; ++ return sqfs_read_nest(filename, buf, offset, len, actread); ++} ++ ++static int sqfs_size_nest(const char *filename, loff_t *size) + { + struct squashfs_super_block *sblk = ctxt.sblk; + struct squashfs_symlink_inode *symlink; +@@ -1595,10 +1629,10 @@ int sqfs_size(const char *filename, loff_t *size) + + sqfs_split_path(&file, &dir, filename); + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ +- ret = sqfs_opendir(dir, &dirsp); ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + ret = -EINVAL; + goto free_strings; +@@ -1606,7 +1640,7 @@ int sqfs_size(const char *filename, loff_t *size) + + dirs = (struct squashfs_dir_stream *)dirsp; + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1639,6 +1673,11 @@ int sqfs_size(const char *filename, loff_t *size) + break; + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ *size = 0; ++ return -ELOOP; ++ } ++ + symlink = (struct squashfs_symlink_inode *)ipos; + resolved = sqfs_resolve_symlink(symlink, filename); + ret = sqfs_size(resolved, size); +@@ -1678,10 +1717,11 @@ int sqfs_exists(const char *filename) + + sqfs_split_path(&file, &dir, filename); + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ +- ret = sqfs_opendir(dir, &dirsp); ++ symlinknest = 0; ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + ret = -EINVAL; + goto free_strings; +@@ -1689,7 +1729,7 @@ int sqfs_exists(const char *filename) + + dirs = (struct squashfs_dir_stream *)dirsp; + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1706,6 +1746,12 @@ free_strings: + return ret == 0; + } + ++int sqfs_size(const char *filename, loff_t *size) ++{ ++ symlinknest = 0; ++ return sqfs_size_nest(filename, size); ++} ++ + void sqfs_close(void) + { + sqfs_decompressor_cleanup(&ctxt); +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c643fb35f3..c68e3e442f 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -14,6 +14,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2024-57254.patch \ file://CVE-2024-57255.patch \ file://CVE-2024-57256.patch \ + file://CVE-2024-57257.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57828 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AA9FC021BF for ; Tue, 25 Feb 2025 14:30:22 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.9089.1740493817461158676 for ; Tue, 25 Feb 2025 06:30:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MexDweOX; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-219f8263ae0so120257685ad.0 for ; Tue, 25 Feb 2025 06:30:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493817; x=1741098617; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VVS2zVMIYvX7wBHYO7dSOJkA+KHqpodPvBFpLH+urSY=; b=MexDweOXTFr4rItpXIufseYuhzkps03K4CJguSB0yT+nmVp4yTPz1Rp/p9QcCUhEFV qR+G55o/Vvc0jHs/FGlFrxE5oh89trEySEHIfGCnR7s52pBDUr4+TXdt8w9vyvMeVAQN Mc5DEQ6bxj+/wlMqwJVDEYGlacDzoQDZejuqbrvGjpZHY0PGEDQ47yxpKOgKt0FVFdxI aR6FmMJtXHrdTlE4Orf3ypmZNpYy+ASFUN2lF0fRbWS5+Cx+rLx+xDHARoA/oZ7xpPAM UwdM67rGPJfzZwIe3k6dgUO96hkavN5J/IA3ON8DsWEpehrr6XgsbSZ1Y0bPnfE+IlKe 2rlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493817; x=1741098617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VVS2zVMIYvX7wBHYO7dSOJkA+KHqpodPvBFpLH+urSY=; b=YhGGA5X3uo5HZRwNzKmSc1VPc41irm6LjzSlIzfFBDFAtECz2esj/ad6IewjMT/Jfc 6xO+NMuwWfbUn19bJUno2tIr5b2Vdfw+2OkZUvl8VmfjW5r3jOU7Ns599sXqBgM4o5hd UaKfR9sRk+vGlbYjQo8RPPro1H45iZUSINzPtrGBa7V+Dhb8KTdvU9ZMkgMW1TFUB0ib agETI4atPDRidKOROxSsp4WgJDEYND3ZD6kzTIwGRN/XVsStjL0gmjwDwhebKZR2hEIv 6uVJvitzwEVkkmBgzxLrNLXF/MrcaHSydvNMLUVHDKenQdXCNB+37YjG/kio0fqkEv8n x1ig== X-Gm-Message-State: AOJu0YyY84ZLmfdQesNQ5yiMbWeBBI4djK9ytjNGdUai9l90YHXhpi4Y FE9qHZXhxWHKRAI2rh4moq9q7ZxSbfpBBWH5XHFcfKGJ1I6Y9nFzFjtDCZzmJNYTFtcmKeKPJda z X-Gm-Gg: ASbGncs3L6YMM3kT3bJI6IJeN7aB8qtwJPQWzp/IlRs6TPHSQ219tNIJqwI0qBv6906 SQPjGttzW9kdCsk6zFohOAGG8Ss7xMGDJePNLueTVPscRvYrji6dKG0NEn1rYV3iCx85rXUw4+f pUCkOQG7k5z4v5/XEuIPr/BwRCJpnAUQ+zkQ3ukZeHNSb/mjhXg4BkZxHuq9GwW4rWm+bEsNW7A vAxlHfmbsfK2ET6Fd3W45CisO2paugBpFwz2z7wEZQY7VSvPqSNDEj7Oyz3ZY8iJx/W1fdB54YI QyhWlIpYWbiQElxEvQ== X-Google-Smtp-Source: AGHT+IFgHBsN7nMm8i4XlDIxF/O5Wte3R3JHZaPcX5JRabSt8vplB9eRv26KhRpbtq7tD/f6LNxROQ== X-Received: by 2002:a17:903:41c2:b0:21f:55e:ed64 with SMTP id d9443c01a7336-221a0ec9b4bmr247066195ad.3.1740493816552; Tue, 25 Feb 2025 06:30:16 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:16 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/22] u-boot: fix CVE-2024-57258 Date: Tue, 25 Feb 2025 06:29:42 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211892 From: Hongxu Jia Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. https://nvd.nist.gov/vuln/detail/CVE-2024-57258 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57258-1.patch | 47 +++++++++++++++++++ .../u-boot/files/CVE-2024-57258-2.patch | 43 +++++++++++++++++ .../u-boot/files/CVE-2024-57258-3.patch | 40 ++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 ++ 4 files changed, 133 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch new file mode 100644 index 0000000000..d33a4260ba --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch @@ -0,0 +1,47 @@ +From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:45 +0200 +Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk() + +Make sure that the new break is within mem_malloc_start +and mem_malloc_end before making progress. +ulong new = old + increment; can overflow for extremely large +increment values and memset() can get wrongly called. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass + +CVE: CVE-2024-57258 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3] +Signed-off-by: Hongxu Jia +--- + common/dlmalloc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index de3f0422..bae2a27c 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment) + ulong old = mem_malloc_brk; + ulong new = old + increment; + ++ if ((new < mem_malloc_start) || (new > mem_malloc_end)) ++ return (void *)MORECORE_FAILURE; ++ + /* + * if we are giving memory back make sure we clear it out since + * we set MORECORE_CLEARS to 1 +@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment) + if (increment < 0) + memset((void *)new, 0, -increment); + +- if ((new < mem_malloc_start) || (new > mem_malloc_end)) +- return (void *)MORECORE_FAILURE; +- + mem_malloc_brk = new; + + return (void *)old; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch new file mode 100644 index 0000000000..688e2c64d8 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch @@ -0,0 +1,43 @@ +From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:44 +0200 +Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size() + +req is of type size_t, casting it to long opens the door +for an integer overflow. +Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX +cause and overflow such that request2size() returns MINSIZE. + +Fix by removing the cast. +The origin of the cast is unclear, it's in u-boot and ppcboot since ever +and predates the CVS history. +Doug Lea's original dlmalloc implementation also doesn't have it. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass + +CVE: CVE-2024-57258 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f] +Signed-off-by: Hongxu Jia +--- + common/dlmalloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index bae2a27c..1ac4ee9f 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + /* pad request bytes into a usable size */ + + #define request2size(req) \ +- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ +- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ ++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ ++ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ + (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) + + /* Check if m has acceptable alignment */ +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch new file mode 100644 index 0000000000..2c8a7c9d91 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch @@ -0,0 +1,40 @@ +From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:43 +0200 +Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64 + +sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap +by LONG_MIN/LONG_MAX. +So, use the long type, also to match the rest of the Linux ecosystem. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass + +CVE: CVE-2024-57258 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0] +Signed-off-by: Hongxu Jia +--- + arch/x86/include/asm/posix_types.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h +index dbcea7f4..e1ed9bca 100644 +--- a/arch/x86/include/asm/posix_types.h ++++ b/arch/x86/include/asm/posix_types.h +@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t; + #if defined(__x86_64__) + typedef unsigned long __kernel_size_t; + typedef long __kernel_ssize_t; ++typedef long __kernel_ptrdiff_t; + #else + typedef unsigned int __kernel_size_t; + typedef int __kernel_ssize_t; +-#endif + typedef int __kernel_ptrdiff_t; ++#endif + typedef long __kernel_time_t; + typedef long __kernel_suseconds_t; + typedef long __kernel_clock_t; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c68e3e442f..cdee9fc721 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -15,6 +15,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2024-57255.patch \ file://CVE-2024-57256.patch \ file://CVE-2024-57257.patch \ + file://CVE-2024-57258-1.patch \ + file://CVE-2024-57258-2.patch \ + file://CVE-2024-57258-3.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57827 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32FC5C021BC for ; Tue, 25 Feb 2025 14:30:22 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.9091.1740493818738498199 for ; Tue, 25 Feb 2025 06:30:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=iFBtqIIR; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-220f4dd756eso119589025ad.3 for ; Tue, 25 Feb 2025 06:30:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493818; x=1741098618; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XFAjsHoOKkxPIio2VfQfvyFuG8NB3zno4fJKDG4UCd4=; b=iFBtqIIRoR/QIUZDH8LgAB5u/7n5aL6MLfFJc9tPSJe6kEg2VTFCOHzNVkLvdVlr45 TTw0re8PzCvmyASWJAEmhjlLt/J20v2IqdqfH17DX/UP442f79ZrQ+806qTeKmU0i7h/ Ms2deAHunp63ZAcxYvBwByhmT8jMxInjm/fgtNNEr/8kPfgNPHx4oj7oFS203bXTfZ2R 9Lvibg+ASxY8ipp+AIbW/eJozfZ8J98g07TYMedWJOWnMLGp0nX2kEn0YnpKKxQGhGo+ BJ501gzQPheV0re77m179wXE1Rc1QIIgs0yBcabxZjbaWb6kbYW2A3RP7qgFP+gdpAsu I8GQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493818; x=1741098618; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XFAjsHoOKkxPIio2VfQfvyFuG8NB3zno4fJKDG4UCd4=; b=M6JaBK0Gih3kM0uInaduOrVPCizEJsCwSpPUJTn5TsUhSuQBBCwVX/dCdBtNIs+mXu WP342no1OToexmC0do4dEz7uXvEktNdPCkAXFUntKwjHc7uffahn2AL8GrP7wpoaVpgo USriNUR10lQ/ntGXAh/TcbMkZkXbcXv+S6Ewsd8g1N2AvGAGry20dbtsIqNizSO6w6wm lyI0rd9aSRd5WBjae/u60zq9xJfds0KrcAa+Uov455x4sZ4pAroYyq5g7Sgjp+r7S9qh sMcDrZPW9ZC9yu74d+p4DsbfIzYnYGPYY+k91tEEUXIqKdWvTC7Qeu2RsQJYvGiUPZbm Z8Jg== X-Gm-Message-State: AOJu0YzoGQknT0QUKYSy3vh5OEsTTNelvddCd5/cLdWkXVCFbsQfUlOu 2ZiA0MBNkq0XfGefmMZv2iVeQJic2AZ5ahGSTtRrrwyMH52+YeI2U0E7o63fnsZFGgkN6hGRd7G o X-Gm-Gg: ASbGnctVEGelwXae2BJ7cAV0EO12nCIlAUB6PITnwYNar3MuxpLap1/esm8gU2YpbOp zxGnk1mkZNX23yqt3HP3eIDJC0Jr/NOgIR1AeM0nU/6c7+uaAM7s44ztqjVaVeb7LcmQxn1T1LV ZVn5p4aRUZU3MaCU4gzHcvEwpT7J2fZE81JxHj0PTCFvbQMfW6NSoqArHGeGoLYZvDhTKoTIpi0 Q1DgckeF+c8r9IKFh3tN1IrUl66z+9eXdxWx+tq9EwW0ULScua/Q/0N6EZ2tkzeBeJcu9CvGtV6 ErHHM4R4tNLiM/lMqA== X-Google-Smtp-Source: AGHT+IGRMsBxK/+0Yg6JyR0367s2oMd9yD5ZzfkMvwB7MZ9ou2Tg43+bBJ3ISyTzYV1AXj/fHKXgQQ== X-Received: by 2002:a05:6a00:230b:b0:734:9cc:a6e4 with SMTP id d2e1a72fcca58-734791ab6bfmr6312350b3a.21.1740493817836; Tue, 25 Feb 2025 06:30:17 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:17 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/22] u-boot: fix CVE-2024-57259 Date: Tue, 25 Feb 2025 06:29:43 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211893 From: Hongxu Jia sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation. https://nvd.nist.gov/vuln/detail/CVE-2024-57259 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57259.patch | 41 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch new file mode 100644 index 0000000000..fdf5fdfce4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch @@ -0,0 +1,41 @@ +From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 22:05:09 +0200 +Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir() + +res needs to be large enough to store both strings rem and target, +plus the path separator and the terminator. +Currently the space for the path separator is not accounted, so +the heap is corrupted by one byte. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57259 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index a5b7890e..1bd9b2a4 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + ret = -ENOMEM; + goto out; + } +- /* Concatenate remaining tokens and symlink's target */ +- res = malloc(strlen(rem) + strlen(target) + 1); ++ /* ++ * Concatenate remaining tokens and symlink's target. ++ * Allocate enough space for rem, target, '/' and '\0'. ++ */ ++ res = malloc(strlen(rem) + strlen(target) + 2); + if (!res) { + ret = -ENOMEM; + goto out; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index cdee9fc721..0ff2477c39 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -18,6 +18,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2024-57258-1.patch \ file://CVE-2024-57258-2.patch \ file://CVE-2024-57258-3.patch \ + file://CVE-2024-57259.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Tue Feb 25 14:29:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57830 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42ACDC18E7C for ; Tue, 25 Feb 2025 14:30:22 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web11.9093.1740493821699803350 for ; Tue, 25 Feb 2025 06:30:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yg+hFi0z; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-220ca204d04so93845925ad.0 for ; Tue, 25 Feb 2025 06:30:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493821; x=1741098621; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RpXNrpYU+a3pDVEPlHPd7rlaygIJNfXztrs0RxXyBSc=; b=yg+hFi0zbNhLN4cBk5LKhTlrTeaHasymapig5ZCrpR+UAia1KXU2u1z6BvT6oy5Pnk u5z6IsmwFTAqaSGlISqpB3dwD3nrNnVeL/hJELAE/SuGA7EfZoW3g6K21kyqJT234aU4 WdjYXygAyL2UXYbYWjD40ZLH3qSrs1R8gmV4ImUPhMMjfU1vVxz2uzy2/kD+PEsDrUOr ifwG8B+sIapnovKvo5+uPqQ+77VzVM4GtoSrbf86XsrweAkfKJPkOC7DAVjrE1r3mTzP kvc3EtNLYtEp0J9/eJgraGPt9ycQMlpqFqpNk0ugJuj/BX8Hdkk25ASQi0V7q0HVUoel BbPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493821; x=1741098621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RpXNrpYU+a3pDVEPlHPd7rlaygIJNfXztrs0RxXyBSc=; b=G3yF2DonSnRwVfD5weDROIGJbSm7AHaAJ2HimR8auy6XFmOovan0wsBx+/SnuYpNBL bbPNtIDz10vSbyJftYRhtJQ9GGvo+FY13bHoUtOglpEeTYQz9+sG4GpxXAiIqigRAoUY mACij2QCuqnxh8Wo9csRkhw3PUuPOh73j2sJwfM79NASGPzFD50hY698wFIAn2wy1RsR RVdQcbFCTcrdPcJ7znh8hgBjSXZ8Q3cjI15Z0saEDrQGFt2wOCjl7ttY9PXd5/99OwSM x+xIMh58/xQuLtkzs4XrYUARVjkymUs0Qq+VLTuwarURvpdWrLwCaPuP6ozGZZ3W02Fd zHBw== X-Gm-Message-State: AOJu0YyzpChYRo8WHbEMrPiqPmjuPKiN5M9Zqzmvh0ccgs0Zk4ceAA9y BfbVh4WBklJowEIiFHgIOIMyw4XOEiSL7TjkVV8ArdANnhehKoNS0ooO0LuZKYJRDE10e76v+sC P X-Gm-Gg: ASbGncvKrhX1PD0o68WwWAIWO0mFzRS2f8AjVLdhSCLUpj39CJ8eQk1vK3hD7P+FuF5 LSZLtUw9yxdbLZXBpObJWQrgi9VotHwjyN/YvPAmDN5SM/EgLWLQCDAg1VrkuxWuiyaGrq5d1B6 YpVye7k1LLscnLKEYcLevNFADxw17dEAmRMTUnf6FBOMa9+K/qUzWYLV+4PpV0MlXkY2rYkU7lq 1jwRmpk+HLkUzHIrdv6ewR8vcYbA6U4IRzZLSWLhauRei5yxSWad5ATu1ZijC5co+rZCxbqvU3p wSFRe399qFrJMaDB5g== X-Google-Smtp-Source: AGHT+IEynAIxJjHTf8le1lyVCrN5cVmmmTfMj2KU6KQmfeh5P/MuTJWeeVt2p41iWHnfmrISIku7PQ== X-Received: by 2002:a05:6a00:2e87:b0:732:2269:a15c with SMTP id d2e1a72fcca58-73426d8f207mr25959218b3a.20.1740493819663; Tue, 25 Feb 2025 06:30:19 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:19 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/22] Revert "ovmf: Fix CVE-2023-45237" Date: Tue, 25 Feb 2025 06:29:44 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211894 From: Kai Kang This reverts commit 6f8bdaad9d22e65108f859a695277ce1b20ef7c6. his reverts commit 4c2d3e37308cac98614dfafed79b7323423af8bc. The fix for CVE-2023-45237 causes ovmf firmware not support pxe boot any more and no boot item in OVMF menu such as UEFI PXEv4 (MAC address) It has not been fixed by ovmf upstream and an issue has been created on https://github.com/tianocore/tianocore.github.io/issues/82 Revert the fixes for now. Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- .../ovmf/ovmf/CVE-2023-45237-0001.patch | 78 - .../ovmf/ovmf/CVE-2023-45237-0002.patch | 1288 ----------------- meta/recipes-core/ovmf/ovmf_git.bb | 2 - 3 files changed, 1368 deletions(-) delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch deleted file mode 100644 index d1dcb8dc44..0000000000 --- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch +++ /dev/null @@ -1,78 +0,0 @@ -From cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c Mon Sep 17 00:00:00 2001 -From: Pierre Gondois -Date: Fri, 11 Aug 2023 16:33:06 +0200 -Subject: [PATCH] MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms - -BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441 - -The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple -implementations, some of them are unsafe (e.g. BaseRngLibTimerLib). -To allow the RngDxe to detect when such implementation is used, -a GetRngGuid() function is added in a following patch. - -Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr -to describe a Rng algorithm accessed through Arm's RNDR instruction. -[1] states that the implementation of this algorithm should be -compliant to NIST SP900-80. The compliance is not guaranteed. - -[1] Arm Architecture Reference Manual Armv8, for A-profile architecture -sK12.1 'Properties of the generated random number' - -Signed-off-by: Pierre Gondois -Reviewed-by: Sami Mujawar -Reviewed-by: Liming Gao -Acked-by: Ard Biesheuvel -Tested-by: Kun Qin - -CVE: CVE-2023-45237 - -Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c] - -Signed-off-by: Soumya Sambu ---- - MdePkg/Include/Protocol/Rng.h | 10 ++++++++++ - MdePkg/MdePkg.dec | 1 + - 2 files changed, 11 insertions(+) - -diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h -index baf425587b..38bde53240 100644 ---- a/MdePkg/Include/Protocol/Rng.h -+++ b/MdePkg/Include/Protocol/Rng.h -@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM; - { \ - 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \ - } -+/// -+/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant -+/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be -+/// inclusive of different geographies. -+/// -+#define EFI_RNG_ALGORITHM_ARM_RNDR \ -+ { \ -+ 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \ -+ } - - /** - Returns information about the random number generation implementation. -@@ -146,5 +155,6 @@ extern EFI_GUID gEfiRngAlgorithmSp80090Ctr256Guid; - extern EFI_GUID gEfiRngAlgorithmX9313DesGuid; - extern EFI_GUID gEfiRngAlgorithmX931AesGuid; - extern EFI_GUID gEfiRngAlgorithmRaw; -+extern EFI_GUID gEfiRngAlgorithmArmRndr; - - #endif -diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec -index 59b405928b..a449dbc556 100644 ---- a/MdePkg/MdePkg.dec -+++ b/MdePkg/MdePkg.dec -@@ -594,6 +594,7 @@ - gEfiRngAlgorithmX9313DesGuid = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }} - gEfiRngAlgorithmX931AesGuid = { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }} - gEfiRngAlgorithmRaw = { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }} -+ gEfiRngAlgorithmArmRndr = { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }} - - ## Include/Protocol/AdapterInformation.h - gEfiAdapterInfoMediaStateGuid = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }} --- -2.40.0 - diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch deleted file mode 100644 index 722a6cd530..0000000000 --- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch +++ /dev/null @@ -1,1288 +0,0 @@ -From 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 Mon Sep 17 00:00:00 2001 -From: Doug Flick -Date: Wed, 8 May 2024 22:56:28 -0700 -Subject: [PATCH] NetworkPkg: SECURITY PATCH CVE-2023-45237 - -REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 - -Bug Overview: -PixieFail Bug #9 -CVE-2023-45237 -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N -CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - -Use of a Weak PseudoRandom Number Generator - -Change Overview: - -Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either - -> -> EFI_STATUS -> EFIAPI -> PseudoRandomU32 ( -> OUT UINT32 *Output -> ); -> - -or (depending on the use case) - -> -> EFI_STATUS -> EFIAPI -> PseudoRandom ( -> OUT VOID *Output, -> IN UINTN OutputLength -> ); -> - -This is because the use of - -Example: - -The following code snippet PseudoRandomU32 () function is used: - -> -> UINT32 Random; -> -> Status = PseudoRandomU32 (&Random); -> if (EFI_ERROR (Status)) { -> DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", -__func__, Status)); -> return Status; -> } -> - -This also introduces a new PCD to enable/disable the use of the -secure implementation of algorithms for PseudoRandom () and -instead depend on the default implementation. This may be required for -some platforms where the UEFI Spec defined algorithms are not available. - -> -> PcdEnforceSecureRngAlgorithms -> - -If the platform does not have any one of the UEFI defined -secure RNG algorithms then the driver will assert. - -Cc: Saloni Kasbekar -Cc: Zachary Clark-williams - -Signed-off-by: Doug Flick [MSFT] -Reviewed-by: Saloni Kasbekar - -CVE: CVE-2023-45237 - -Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345] - -Signed-off-by: Soumya Sambu ---- - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- - NetworkPkg/DnsDxe/DnsDhcp.c | 10 +- - NetworkPkg/DnsDxe/DnsImpl.c | 11 +- - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++- - NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +-- - NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +- - NetworkPkg/Include/Library/NetLib.h | 40 +++++-- - NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- - NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- - NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 +++++- - NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- - NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 ++++++++++++++++++--- - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++- - NetworkPkg/NetworkPkg.dec | 7 ++ - NetworkPkg/SecurityFixes.yaml | 39 +++++++ - NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- - NetworkPkg/TcpDxe/TcpDxe.inf | 3 + - NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +- - NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- - 27 files changed, 410 insertions(+), 83 deletions(-) - -diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -index 8c37e93be3..892caee368 100644 ---- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -@@ -1,6 +1,7 @@ - /** @file - - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -189,6 +190,13 @@ Dhcp4CreateService ( - { - DHCP_SERVICE *DhcpSb; - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - *Service = NULL; - DhcpSb = AllocateZeroPool (sizeof (DHCP_SERVICE)); -@@ -203,7 +211,7 @@ Dhcp4CreateService ( - DhcpSb->Image = ImageHandle; - InitializeListHead (&DhcpSb->Children); - DhcpSb->DhcpState = Dhcp4Stopped; -- DhcpSb->Xid = NET_RANDOM (NetRandomInitSeed ()); -+ DhcpSb->Xid = Random; - CopyMem ( - &DhcpSb->ServiceBinding, - &mDhcp4ServiceBindingTemplate, -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -index b591a4605b..e7f2787a98 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -@@ -3,7 +3,7 @@ - implementation for Dhcp6 Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -123,6 +123,13 @@ Dhcp6CreateService ( - { - DHCP6_SERVICE *Dhcp6Srv; - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - *Service = NULL; - Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE)); -@@ -147,7 +154,7 @@ Dhcp6CreateService ( - Dhcp6Srv->Signature = DHCP6_SERVICE_SIGNATURE; - Dhcp6Srv->Controller = Controller; - Dhcp6Srv->Image = ImageHandle; -- Dhcp6Srv->Xid = (0xffffff & NET_RANDOM (NetRandomInitSeed ())); -+ Dhcp6Srv->Xid = (0xffffff & Random); - - CopyMem ( - &Dhcp6Srv->ServiceBinding, -diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c -index 933565a32d..9eb3c1d2d8 100644 ---- a/NetworkPkg/DnsDxe/DnsDhcp.c -+++ b/NetworkPkg/DnsDxe/DnsDhcp.c -@@ -2,6 +2,7 @@ - Functions implementation related with DHCPv4/v6 for DNS driver. - - Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 ( - EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN Token; - BOOLEAN IsDone; - UINTN Index; -+ UINT32 Random; - - Image = Instance->Service->ImageHandle; - Controller = Instance->Service->ControllerHandle; -@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 ( - Data = NULL; - InterfaceInfo = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - ZeroMem ((UINT8 *)ParaList, sizeof (ParaList)); - - ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA)); -@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 ( - - Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet); - -- Token.Packet->Dhcp4.Header.Xid = HTONL (NET_RANDOM (NetRandomInitSeed ())); -+ Token.Packet->Dhcp4.Header.Xid = Random; - - Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000); - -diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c -index d311812800..c2629bb8df 100644 ---- a/NetworkPkg/DnsDxe/DnsImpl.c -+++ b/NetworkPkg/DnsDxe/DnsImpl.c -@@ -2,6 +2,7 @@ - DnsDxe support functions implementation. - - Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -1963,6 +1964,14 @@ ConstructDNSQuery ( - NET_FRAGMENT Frag; - DNS_HEADER *DnsHeader; - DNS_QUERY_SECTION *DnsQuery; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Messages carried by UDP are restricted to 512 bytes (not counting the IP -@@ -1977,7 +1986,7 @@ ConstructDNSQuery ( - // Fill header - // - DnsHeader = (DNS_HEADER *)Frag.Bulk; -- DnsHeader->Identification = (UINT16)NET_RANDOM (NetRandomInitSeed ()); -+ DnsHeader->Identification = (UINT16)Random; - DnsHeader->Flags.Uint16 = 0x0000; - DnsHeader->Flags.Bits.RD = 1; - DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD; -diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -index b22cef4ff5..f964515b0f 100644 ---- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -@@ -2,6 +2,7 @@ - Functions implementation related with DHCPv6 for HTTP boot driver. - - Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr ( - UINT32 OptCount; - UINT8 Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE]; - EFI_STATUS Status; -+ UINT32 Random; - - Dhcp6 = Private->Dhcp6; - ASSERT (Dhcp6 != NULL); -@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr ( - OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer); - ASSERT (OptCount > 0); - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION)); - if (Retransmit == NULL) { - return EFI_OUT_OF_RESOURCES; -@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr ( - Config.IaInfoEvent = NULL; - Config.RapidCommit = FALSE; - Config.ReconfigureAccept = FALSE; -- Config.IaDescriptor.IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Config.IaDescriptor.IaId = Random; - Config.IaDescriptor.Type = EFI_DHCP6_IA_TYPE_NA; - Config.SolicitRetransmission = Retransmit; - Retransmit->Irt = 4; -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index b507f11cd4..bebb1ac29b 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -3,6 +3,7 @@ - Configuration. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -576,16 +577,24 @@ IScsiCHAPToSendReq ( - // - // CHAP_I= - // -- IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1); -+ Status = IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1); -+ if (EFI_ERROR (Status)) { -+ break; -+ } -+ - AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr); - // - // CHAP_C= - // -- IScsiGenRandom ( -- (UINT8 *)AuthData->OutChallenge, -- AuthData->Hash->DigestSize -- ); -+ Status = IScsiGenRandom ( -+ (UINT8 *)AuthData->OutChallenge, -+ AuthData->Hash->DigestSize -+ ); -+ if (EFI_ERROR (Status)) { -+ break; -+ } -+ - BinToHexStatus = IScsiBinToHex ( - (UINT8 *)AuthData->OutChallenge, - AuthData->Hash->DigestSize, -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index b3ea90158f..cd77f1a13e 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -2,6 +2,7 @@ - Miscellaneous routines for iSCSI driver. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -474,20 +475,17 @@ IScsiNetNtoi ( - @param[in, out] Rand The buffer to contain random numbers. - @param[in] RandLength The length of the Rand buffer. - -+ @retval EFI_SUCCESS on success -+ @retval others on error -+ - **/ --VOID -+EFI_STATUS - IScsiGenRandom ( - IN OUT UINT8 *Rand, - IN UINTN RandLength - ) - { -- UINT32 Random; -- -- while (RandLength > 0) { -- Random = NET_RANDOM (NetRandomInitSeed ()); -- *Rand++ = (UINT8)(Random); -- RandLength--; -- } -+ return PseudoRandom (Rand, RandLength); - } - - /** -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index a951eee70e..91b2cd2261 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -2,6 +2,7 @@ - Miscellaneous definitions for iSCSI driver. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -202,8 +203,11 @@ IScsiNetNtoi ( - @param[in, out] Rand The buffer to contain random numbers. - @param[in] RandLength The length of the Rand buffer. - -+ @retval EFI_SUCCESS on success -+ @retval others on error -+ - **/ --VOID -+EFI_STATUS - IScsiGenRandom ( - IN OUT UINT8 *Rand, - IN UINTN RandLength -diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h -index 8c0e62b388..e8108b79db 100644 ---- a/NetworkPkg/Include/Library/NetLib.h -+++ b/NetworkPkg/Include/Library/NetLib.h -@@ -3,6 +3,7 @@ - It provides basic functions for the UEFI network stack. - - Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr; - #define TICKS_PER_MS 10000U - #define TICKS_PER_SECOND 10000000U - --#define NET_RANDOM(Seed) ((UINT32) ((UINT32) (Seed) * 1103515245UL + 12345) % 4294967295UL) -- - /** - Extract a UINT32 from a byte stream. - -@@ -580,19 +579,40 @@ NetPutUint32 ( - ); - - /** -- Initialize a random seed using current time and monotonic count. -+ Generate a Random output data given a length. - -- Get current time and monotonic count first. Then initialize a random seed -- based on some basic mathematics operation on the hour, day, minute, second, -- nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random data. -+ @param[in] OutputLength - The length of the output buffer. - -- @return The random seed initialized with current time. -+ @retval EFI_SUCCESS On Success -+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() - -+ @return Status code - **/ --UINT32 -+EFI_STATUS - EFIAPI --NetRandomInitSeed ( -- VOID -+PseudoRandom ( -+ OUT VOID *Output, -+ IN UINTN OutputLength -+ ); -+ -+/** -+ Generate a 32-bit pseudo-random number. -+ -+ @param[out] Output - The buffer to store the generated random number. -+ -+ @retval EFI_SUCCESS On Success -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() -+ -+ @return Status code -+**/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output - ); - - #define NET_LIST_USER_STRUCT(Entry, Type, Field) \ -diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c -index ec483ff01f..683423f38d 100644 ---- a/NetworkPkg/Ip4Dxe/Ip4Driver.c -+++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c -@@ -2,6 +2,7 @@ - The driver binding and service binding protocol for IP4 driver. - - Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- - SPDX-License-Identifier: BSD-2-Clause-Patent -@@ -549,11 +550,18 @@ Ip4DriverBindingStart ( - EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2; - UINTN Index; - IP4_CONFIG2_DATA_ITEM *DataItem; -+ UINT32 Random; - - IpSb = NULL; - Ip4Cfg2 = NULL; - DataItem = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Test for the Ip4 service binding protocol - // -@@ -653,7 +661,7 @@ Ip4DriverBindingStart ( - // - // Initialize the IP4 ID - // -- mIp4Id = (UINT16)NET_RANDOM (NetRandomInitSeed ()); -+ mIp4Id = (UINT16)Random; - - return Status; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -index 70e232ce6c..4c1354d26c 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance ( - UINTN Index; - UINT16 IfIndex; - IP6_CONFIG_DATA_ITEM *DataItem; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance); - -@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance ( - // The NV variable is not set, so generate a random IAID, and write down the - // fresh new configuration as the NV variable now. - // -- Instance->IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Instance->IaId = Random; - - for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) { - Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31)); -diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c -index b483a7d136..cbe011dad4 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Driver.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c -@@ -3,7 +3,7 @@ - - Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -316,7 +316,11 @@ Ip6CreateService ( - IpSb->CurHopLimit = IP6_HOP_LIMIT; - IpSb->LinkMTU = IP6_MIN_LINK_MTU; - IpSb->BaseReachableTime = IP6_REACHABLE_TIME; -- Ip6UpdateReachableTime (IpSb); -+ Status = Ip6UpdateReachableTime (IpSb); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } -+ - // - // RFC4861 RETRANS_TIMER: 1,000 milliseconds - // -@@ -516,11 +520,18 @@ Ip6DriverBindingStart ( - EFI_STATUS Status; - EFI_IP6_CONFIG_PROTOCOL *Ip6Cfg; - IP6_CONFIG_DATA_ITEM *DataItem; -+ UINT32 Random; - - IpSb = NULL; - Ip6Cfg = NULL; - DataItem = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Test for the Ip6 service binding protocol - // -@@ -656,7 +667,7 @@ Ip6DriverBindingStart ( - // - // Initialize the IP6 ID - // -- mIp6Id = NET_RANDOM (NetRandomInitSeed ()); -+ mIp6Id = Random; - - return EFI_SUCCESS; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c -index 4629c05f25..f3d11c4d21 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6If.c -+++ b/NetworkPkg/Ip6Dxe/Ip6If.c -@@ -2,7 +2,7 @@ - Implement IP6 pseudo interface. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -89,6 +89,14 @@ Ip6SetAddress ( - IP6_PREFIX_LIST_ENTRY *PrefixEntry; - UINT64 Delay; - IP6_DELAY_JOIN_LIST *DelayNode; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE); - -@@ -164,7 +172,7 @@ Ip6SetAddress ( - // Thus queue the address to be processed in Duplicate Address Detection module - // after the delay time (in milliseconds). - // -- Delay = (UINT64)NET_RANDOM (NetRandomInitSeed ()); -+ Delay = (UINT64)Random; - Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS); - Delay = RShiftU64 (Delay, 32); - -diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c -index e6b2b653e2..498a118543 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Mld.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c -@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer ( - IN OUT IP6_MLD_GROUP *Group - ) - { -- UINT32 Delay; -+ UINT32 Delay; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // If the Query packet specifies a Maximum Response Delay of zero, perform timer -@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer ( - // is less than the remaining value of the running timer. - // - if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) { -- Group->DelayTimer = Delay / 4294967295UL * NET_RANDOM (NetRandomInitSeed ()); -+ Group->DelayTimer = Delay / 4294967295UL * Random; - } - - return EFI_SUCCESS; -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c -index c10c7017f8..72aa45c10f 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c -@@ -2,7 +2,7 @@ - Implementation of Neighbor Discovery support routines. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress; - - @param[in, out] IpSb Points to the IP6_SERVICE. - -+ @retval EFI_SUCCESS ReachableTime Updated -+ @retval others Failed to update ReachableTime - **/ --VOID -+EFI_STATUS - Ip6UpdateReachableTime ( - IN OUT IP6_SERVICE *IpSb - ) - { -- UINT32 Random; -+ UINT32 Random; -+ EFI_STATUS Status; - -- Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ -+ Random = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; - Random = Random + IP6_MIN_RANDOM_FACTOR_SCALED; - IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE; -+ -+ return EFI_SUCCESS; - } - - /** -@@ -972,10 +983,17 @@ Ip6InitDADProcess ( - IP6_SERVICE *IpSb; - EFI_STATUS Status; - UINT32 MaxDelayTick; -+ UINT32 Random; - - NET_CHECK_SIGNATURE (IpIf, IP6_INTERFACE_SIGNATURE); - ASSERT (AddressInfo != NULL); - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Do nothing if we have already started DAD on the address. - // -@@ -1014,7 +1032,7 @@ Ip6InitDADProcess ( - Entry->Transmit = 0; - Entry->Receive = 0; - MaxDelayTick = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS; -- Entry->RetransTick = (MaxDelayTick * ((NET_RANDOM (NetRandomInitSeed ()) % 5) + 1)) / 5; -+ Entry->RetransTick = (MaxDelayTick * ((Random % 5) + 1)) / 5; - Entry->AddressInfo = AddressInfo; - Entry->Callback = Callback; - Entry->Context = Context; -@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise ( - // in BaseReachableTime and recompute a ReachableTime. - // - IpSb->BaseReachableTime = ReachableTime; -- Ip6UpdateReachableTime (IpSb); -+ Status = Ip6UpdateReachableTime (IpSb); -+ if (EFI_ERROR (Status)) { -+ goto Exit; -+ } - } - - if (RetransTimer != 0) { -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h -index bf64e9114e..5795e23c7d 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.h -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h -@@ -2,7 +2,7 @@ - Definition of Neighbor Discovery support routines. - - Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -780,10 +780,10 @@ Ip6OnArpResolved ( - /** - Update the ReachableTime in IP6 service binding instance data, in milliseconds. - -- @param[in, out] IpSb Points to the IP6_SERVICE. -- -+ @retval EFI_SUCCESS ReachableTime Updated -+ @retval others Failed to update ReachableTime - **/ --VOID -+EFI_STATUS - Ip6UpdateReachableTime ( - IN OUT IP6_SERVICE *IpSb - ); -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -index fd4a9e15a8..01c13c08d2 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -@@ -3,6 +3,7 @@ - - Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett Packard Enterprise Development LP
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - **/ - -@@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - #include -+#include - - #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE) - #define DEFAULT_ZERO_START ((UINTN) ~0) -@@ -127,6 +129,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { - 0 - }; - -+// -+// These represent UEFI SPEC defined algorithms that should be supported by -+// the RNG protocol and are generally considered secure. -+// -+// The order of the algorithms in this array is important. This order is the order -+// in which the algorithms will be tried by the RNG protocol. -+// If your platform needs to use a specific algorithm for the random number generator, -+// then you should place that algorithm first in the array. -+// -+GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = { -+ &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256 -+ &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256 -+ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256 -+ &gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register -+ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG) -+}; -+ -+#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) -+ - /** - Locate the handles that support SNP, then open one of them - to send the syslog packets. The caller isn't required to close -@@ -884,34 +905,107 @@ Ip6Swap128 ( - } - - /** -- Initialize a random seed using current time and monotonic count. -+ Generate a Random output data given a length. - -- Get current time and monotonic count first. Then initialize a random seed -- based on some basic mathematics operation on the hour, day, minute, second, -- nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random data. -+ @param[in] OutputLength - The length of the output buffer. - -- @return The random seed initialized with current time. -+ @retval EFI_SUCCESS On Success -+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() - -+ @return Status code - **/ --UINT32 -+EFI_STATUS - EFIAPI --NetRandomInitSeed ( -- VOID -+PseudoRandom ( -+ OUT VOID *Output, -+ IN UINTN OutputLength - ) - { -- EFI_TIME Time; -- UINT32 Seed; -- UINT64 MonotonicCount; -+ EFI_RNG_PROTOCOL *RngProtocol; -+ EFI_STATUS Status; -+ UINTN AlgorithmIndex; -+ -+ if ((Output == NULL) || (OutputLength == 0)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&RngProtocol); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to locate EFI_RNG_PROTOCOL: %r\n", Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) { -+ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) { -+ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output); -+ if (!EFI_ERROR (Status)) { -+ // -+ // Secure Algorithm was supported on this platform -+ // -+ return EFI_SUCCESS; -+ } else if (Status == EFI_UNSUPPORTED) { -+ // -+ // Secure Algorithm was not supported on this platform -+ // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); -+ -+ // -+ // Try the next secure algorithm -+ // -+ continue; -+ } else { -+ // -+ // Some other error occurred -+ // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ } -+ -+ // -+ // If we get here, we failed to generate random data using any secure algorithm -+ // Platform owner should ensure that at least one secure algorithm is supported -+ // -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // -+ // Lets try using the default algorithm (which may not be secure) -+ // -+ Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } - -- gRT->GetTime (&Time, NULL); -- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second); -- Seed ^= Time.Nanosecond; -- Seed ^= Time.Year << 7; -+ return EFI_SUCCESS; -+} -+ -+/** -+ Generate a 32-bit pseudo-random number. - -- gBS->GetNextMonotonicCount (&MonotonicCount); -- Seed += (UINT32)MonotonicCount; -+ @param[out] Output - The buffer to store the generated random number. - -- return Seed; -+ @retval EFI_SUCCESS On Success -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() -+ -+ @return Status code -+**/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output -+ ) -+{ -+ return PseudoRandom (Output, sizeof (*Output)); - } - - /** -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -index 8145d256ec..a8f534a293 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -@@ -3,6 +3,7 @@ - # - # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
- # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
-+# Copyright (c) Microsoft Corporation - # SPDX-License-Identifier: BSD-2-Clause-Patent - # - ## -@@ -49,7 +50,11 @@ - gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES -- -+ gEfiRngAlgorithmRaw ## CONSUMES -+ gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES -+ gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES -+ gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES -+ gEfiRngAlgorithmArmRndr ## CONSUMES - - [Protocols] - gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES -@@ -59,3 +64,10 @@ - gEfiComponentNameProtocolGuid ## SOMETIMES_CONSUMES - gEfiComponentName2ProtocolGuid ## SOMETIMES_CONSUMES - gEfiAdapterInformationProtocolGuid ## SOMETIMES_CONSUMES -+ gEfiRngProtocolGuid ## CONSUMES -+ -+[FixedPcd] -+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES -+ -+[Depex] -+ gEfiRngProtocolGuid -diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec -index 928e84fec4..ff335e957c 100644 ---- a/NetworkPkg/NetworkPkg.dec -+++ b/NetworkPkg/NetworkPkg.dec -@@ -5,6 +5,7 @@ - # - # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
- # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP
-+# Copyright (c) Microsoft Corporation - # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -127,6 +128,12 @@ - # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. - gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C - -+ ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections. -+ # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms. -+ # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider. -+ # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms. -+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D -+ - [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] - ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). - # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT] -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index 7e900483fe..2b2c794697 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -121,3 +121,42 @@ CVE_2023_45235: - - http://www.openwall.com/lists/oss-security/2024/01/16/2 - - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45237: -+ commit_titles: -+ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" -+ cve: CVE-2023-45237 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator" -+ note: -+ files_impacted: -+ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+ - NetworkPkg/DnsDxe/DnsDhcp.c -+ - NetworkPkg/DnsDxe/DnsImpl.c -+ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+ - NetworkPkg/IScsiDxe/IScsiCHAP.c -+ - NetworkPkg/IScsiDxe/IScsiMisc.c -+ - NetworkPkg/IScsiDxe/IScsiMisc.h -+ - NetworkPkg/Include/Library/NetLib.h -+ - NetworkPkg/Ip4Dxe/Ip4Driver.c -+ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+ - NetworkPkg/Ip6Dxe/Ip6Driver.c -+ - NetworkPkg/Ip6Dxe/Ip6If.c -+ - NetworkPkg/Ip6Dxe/Ip6Mld.c -+ - NetworkPkg/Ip6Dxe/Ip6Nd.c -+ - NetworkPkg/Ip6Dxe/Ip6Nd.h -+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+ - NetworkPkg/NetworkPkg.dec -+ - NetworkPkg/TcpDxe/TcpDriver.c -+ - NetworkPkg/Udp4Dxe/Udp4Driver.c -+ - NetworkPkg/Udp6Dxe/Udp6Driver.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 98a90e0210..8fe6badd68 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -2,7 +2,7 @@ - The driver binding and service binding protocol for the TCP driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -163,7 +163,13 @@ TcpDriverEntryPoint ( - ) - { - EFI_STATUS Status; -- UINT32 Seed; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the TCP Driver Binding Protocol -@@ -203,9 +209,8 @@ TcpDriverEntryPoint ( - // - // Initialize ISS and random port. - // -- Seed = NetRandomInitSeed (); -- mTcpGlobalIss = NET_RANDOM (Seed) % mTcpGlobalIss; -- mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (NET_RANDOM (Seed) % TCP_PORT_KNOWN)); -+ mTcpGlobalIss = Random % mTcpGlobalIss; -+ mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); - mTcp6RandomPort = mTcp4RandomPort; - - return EFI_SUCCESS; -diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf -index c0acbdca57..cf5423f4c5 100644 ---- a/NetworkPkg/TcpDxe/TcpDxe.inf -+++ b/NetworkPkg/TcpDxe/TcpDxe.inf -@@ -82,5 +82,8 @@ - gEfiTcp6ProtocolGuid ## BY_START - gEfiTcp6ServiceBindingProtocolGuid ## BY_START - -+[Depex] -+ gEfiHash2ServiceBindingProtocolGuid -+ - [UserExtensions.TianoCore."ExtraFiles"] - TcpDxeExtra.uni -diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c -index cb917fcfc9..c7ea16f4cd 100644 ---- a/NetworkPkg/Udp4Dxe/Udp4Driver.c -+++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c -@@ -1,6 +1,7 @@ - /** @file - - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -555,6 +556,13 @@ Udp4DriverEntryPoint ( - ) - { - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the Udp4DriverBinding and Udp4ComponentName protocols. -@@ -571,7 +579,7 @@ Udp4DriverEntryPoint ( - // - // Initialize the UDP random port. - // -- mUdp4RandomPort = (UINT16)(((UINT16)NetRandomInitSeed ()) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); -+ mUdp4RandomPort = (UINT16)(((UINT16)Random) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); - } - - return Status; -diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c -index ae96fb9966..edb758d57c 100644 ---- a/NetworkPkg/Udp6Dxe/Udp6Driver.c -+++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c -@@ -2,7 +2,7 @@ - Driver Binding functions and Service Binding functions for the Network driver module. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -596,6 +596,13 @@ Udp6DriverEntryPoint ( - ) - { - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the Udp6DriverBinding and Udp6ComponentName protocols. -@@ -614,7 +621,7 @@ Udp6DriverEntryPoint ( - // Initialize the UDP random port. - // - mUdp6RandomPort = (UINT16)( -- ((UINT16)NetRandomInitSeed ()) % -+ ((UINT16)Random) % - UDP6_PORT_KNOWN + - UDP6_PORT_KNOWN - ); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -index 91146b78cb..452038c219 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -@@ -2,7 +2,7 @@ - Functions implementation related with DHCPv4 for UefiPxeBc Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover ( - UINT8 VendorOptLen; - UINT32 Xid; - -+ Status = PseudoRandomU32 (&Xid); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - Mode = Private->PxeBc.Mode; - Dhcp4 = Private->Dhcp4; - Status = EFI_SUCCESS; -@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover ( - // - // Set fields of the token for the request packet. - // -- Xid = NET_RANDOM (NetRandomInitSeed ()); - Token.Packet->Dhcp4.Header.Xid = HTONL (Xid); - Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0)); - CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS)); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -index 7fd1281c11..bcabbd2219 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover ( - UINTN ReadSize; - UINT16 OpCode; - UINT16 OpLen; -- UINT32 Xid; -+ UINT32 Random; - EFI_STATUS Status; - UINTN DiscoverLenNeeded; - -@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover ( - return EFI_DEVICE_ERROR; - } - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); - Discover = AllocateZeroPool (DiscoverLenNeeded); - if (Discover == NULL) { -@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover ( - // - // Build the discover packet by the cached request packet before. - // -- Xid = NET_RANDOM (NetRandomInitSeed ()); -- Discover->TransactionId = HTONL (Xid); -+ Discover->TransactionId = HTONL (Random); - Discover->MessageType = Request->Dhcp6.Header.MessageType; - RequestOpt = Request->Dhcp6.Option; - DiscoverOpt = Discover->DhcpOptions; -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -index d84aca7e85..4cd915b411 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -@@ -3,6 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.
-+ Copyright (c) Microsoft Corporation - - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -892,6 +893,13 @@ PxeBcCreateIp6Children ( - PXEBC_PRIVATE_PROTOCOL *Id; - EFI_SIMPLE_NETWORK_PROTOCOL *Snp; - UINTN Index; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number using EFI_RNG_PROTOCOL: %r\n", Status)); -+ return Status; -+ } - - if (Private->Ip6Nic != NULL) { - // -@@ -935,9 +943,9 @@ PxeBcCreateIp6Children ( - } - - // -- // Generate a random IAID for the Dhcp6 assigned address. -+ // Set a random IAID for the Dhcp6 assigned address. - // -- Private->IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Private->IaId = Random; - if (Private->Snp != NULL) { - for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) { - Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31)); --- -2.40.0 - diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index d52e3f4971..bb345688ac 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -47,8 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2023-45229-0002.patch \ file://CVE-2023-45229-0003.patch \ file://CVE-2023-45229-0004.patch \ - file://CVE-2023-45237-0001.patch \ - file://CVE-2023-45237-0002.patch \ file://CVE-2023-45236.patch \ file://CVE-2022-36765-0001.patch \ file://CVE-2022-36765-0002.patch \ From patchwork Tue Feb 25 14:29:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57837 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66446C197BF for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.9028.1740493823909665006 for ; Tue, 25 Feb 2025 06:30:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pn0DgM9m; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-220bff984a0so121003565ad.3 for ; Tue, 25 Feb 2025 06:30:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493823; x=1741098623; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zbbt5yWhKnS5lc/wvu/OeVQvgg57/IjXS1V7AuOOAhI=; b=pn0DgM9mfMu4WlINN7nDTE9U4qczKq70DZg8m2mA9tZ8NWVkwSAPuVGSO52erRsWTu OYuVnZyeeVectotfaXq/8TZQ2BrDualGfNSAHFR0sAVrIcIxBfxmQPwkSfnX8n77rY1N vjH9jPhheP0B2+fsya0+M7g07IoHKoe7Xhft2AV3ODZBhdYxV6DGufoKcAQ+emFlXe5B c6ecUR2NfIMoCrYHG+CaO/B/2Z8jSCMV+6D0+APT+kpalPoauA+OpkffvrF1U3kSXjaz F52+mrrXuSqTi8RJ3ZvpDFpuDIEhtXJhfukXIwwgiRU8QWaSbKErHN3huVShWATLgDO7 kmhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493823; x=1741098623; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zbbt5yWhKnS5lc/wvu/OeVQvgg57/IjXS1V7AuOOAhI=; b=FoUft8uQ2r58GZaCHXDFnqDUR57QgcYFF9VFxETQu5WASymmAqF7wVhjwvIWEHxTul TTZO14jUAVZMDTckazfZsvjWaI+ObVLZ66hUdJ87t6/Ow1dBnAbjlbhoBtCLvoZUDc3Y CK7E78mYos25qct85KwbuS0BOaCf6+ckvx9BhHCfpZ3DpuUGP4Bqavj370/YVz0Uft// gNEcZuS7RSKaSRORGiuMDpFeajnIpH65Aa2oDWhAYwWrUg3RzlwLHMgIv5D8an6pfl4z 8yY3OULyG8doTJf5W6eyVUdrKogBSIcNS91Gn7p1FBP9aJJ3uX7XOPzLqz1N9Fyd+OS/ A0+A== X-Gm-Message-State: AOJu0Yw7G4bVw1iRoldNVdm2I+j1wdoD7Pz3YsRraqDFZewANrCsU4vN rVe3L7kwN1LL6UR/zcVE/CA+sRkK+2yO/vXjV3SzW0wcLR3/YbaPX0WMMFis7CZlq8XBIBXJDOn V X-Gm-Gg: ASbGncsYIjZ7CoCuO+S2jo/vOVKGwLy9d3HOBhwM9Ct8OCkEZeR4c2W3lTMp7VI+y39 d44ZvGeCz0u1I31dQ4W7bDpaj2fkpV05d+dpfGZJmgE5a41khoJCH5nLyD6lPnAaX7EzJmOLxYj zoulAgy6Y+4A1ZSGR5M8wvOdr7G/tqaAh9vgpB2bfMcoMdq/vVw0rXAlGpYopVoVR9BiiSSK5LL kdG2XHU5HUaicQtXkDYsX/bHMYi/9eeNa2e1Sxw5Cbmzg1UY4bAFbQVSlhc2IFlmgmDS/ijDuku Y3pbWjzqEMfhXr3l0g== X-Google-Smtp-Source: AGHT+IGwMtRowq0yRAWitYSVbaitWjamW4/+7A96OISCOufBaUqwRk3M10hNeU2ybpmkgfO1zX/MnQ== X-Received: by 2002:a05:6a00:a24:b0:732:622f:ec39 with SMTP id d2e1a72fcca58-734790a7da0mr5378335b3a.1.1740493821425; Tue, 25 Feb 2025 06:30:21 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:21 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/22] Revert "ovmf: Fix CVE-2023-45236" Date: Tue, 25 Feb 2025 06:29:45 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211896 From: Kai Kang This reverts commit a9cd3321558e95f61ed4c5eca0dcf5a3f4704925. The fix for CVE-2023-45237 has been reverted. And the fix for CVE-2023-45236 depends on it. So revert it too. Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- .../ovmf/ovmf/CVE-2023-45236.patch | 829 ------------------ meta/recipes-core/ovmf/ovmf_git.bb | 1 - 2 files changed, 830 deletions(-) delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch deleted file mode 100644 index ac43392ce6..0000000000 --- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch +++ /dev/null @@ -1,829 +0,0 @@ -From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001 -From: Doug Flick -Date: Wed, 8 May 2024 22:56:29 -0700 -Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236 - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 -REF: https://www.rfc-editor.org/rfc/rfc1948.txt -REF: https://www.rfc-editor.org/rfc/rfc6528.txt -REF: https://www.rfc-editor.org/rfc/rfc9293.txt - -Bug Overview: -PixieFail Bug #8 -CVE-2023-45236 -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N -CWE-200 Exposure of Sensitive Information to an Unauthorized Actor - -Updates TCP ISN generation to use a cryptographic hash of the -connection's identifying parameters and a secret key. -This prevents an attacker from guessing the ISN used for some other -connection. - -This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. - -RFC: 9293 Section 3.4.1. Initial Sequence Number Selection - - A TCP implementation MUST use the above type of "clock" for clock- - driven selection of initial sequence numbers (MUST-8), and SHOULD - generate its initial sequence numbers with the expression: - - ISN = M + F(localip, localport, remoteip, remoteport, secretkey) - - where M is the 4 microsecond timer, and F() is a pseudorandom - function (PRF) of the connection's identifying parameters ("localip, - localport, remoteip, remoteport") and a secret key ("secretkey") - (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or - an attacker could still guess at sequence numbers from the ISN used - for some other connection. The PRF could be implemented as a - cryptographic hash of the concatenation of the TCP connection - parameters and some secret data. For discussion of the selection of - a specific hash algorithm and management of the secret key data, - please see Section 3 of [42]. - - For each connection there is a send sequence number and a receive - sequence number. The initial send sequence number (ISS) is chosen by - the data sending TCP peer, and the initial receive sequence number - (IRS) is learned during the connection-establishing procedure. - - For a connection to be established or initialized, the two TCP peers - must synchronize on each other's initial sequence numbers. This is - done in an exchange of connection-establishing segments carrying a - control bit called "SYN" (for synchronize) and the initial sequence - numbers. As a shorthand, segments carrying the SYN bit are also - called "SYNs". Hence, the solution requires a suitable mechanism for - picking an initial sequence number and a slightly involved handshake - to exchange the ISNs. - -Cc: Saloni Kasbekar -Cc: Zachary Clark-williams - -Signed-off-by: Doug Flick [MSFT] -Reviewed-by: Saloni Kasbekar - -CVE: CVE-2023-45236 - -Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7] - -Signed-off-by: Soumya Sambu ---- - NetworkPkg/SecurityFixes.yaml | 22 +++ - NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++- - NetworkPkg/TcpDxe/TcpDxe.inf | 8 +- - NetworkPkg/TcpDxe/TcpFunc.h | 23 ++-- - NetworkPkg/TcpDxe/TcpInput.c | 13 +- - NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++-- - NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++-- - NetworkPkg/TcpDxe/TcpTimer.c | 3 +- - 8 files changed, 415 insertions(+), 49 deletions(-) - -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index 2b2c794697..ab355419cc 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -121,6 +121,28 @@ CVE_2023_45235: - - http://www.openwall.com/lists/oss-security/2024/01/16/2 - - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45236: -+ commit_titles: -+ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch" -+ cve: CVE-2023-45236 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers" -+ note: -+ files_impacted: -+ - NetworkPkg/Include/Library/NetLib.h -+ - NetworkPkg/TcpDxe/TcpDriver.c -+ - NetworkPkg/TcpDxe/TcpDxe.inf -+ - NetworkPkg/TcpDxe/TcpFunc.h -+ - NetworkPkg/TcpDxe/TcpInput.c -+ - NetworkPkg/TcpDxe/TcpMain.h -+ - NetworkPkg/TcpDxe/TcpMisc.c -+ - NetworkPkg/TcpDxe/TcpTimer.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html - CVE_2023_45237: - commit_titles: - - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 8fe6badd68..40bba4080c 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = { - TcpServiceBindingDestroyChild - }; - -+// -+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces -+// if the platform does not provide one. -+// -+EFI_HANDLE mHash2ServiceHandle = NULL; -+ - /** - Create and start the heartbeat timer for the TCP driver. - -@@ -165,6 +171,23 @@ TcpDriverEntryPoint ( - EFI_STATUS Status; - UINT32 Random; - -+ // -+ // Initialize the Secret used for hashing TCP sequence numbers -+ // -+ // Normally this should be regenerated periodically, but since -+ // this is only used for UEFI networking and not a general purpose -+ // operating system, it is not necessary to regenerate it. -+ // -+ Status = PseudoRandomU32 (&mTcpGlobalSecret); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ -+ // -+ // Get a random number used to generate a random port number -+ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret -+ // - Status = PseudoRandomU32 (&Random); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); -@@ -207,9 +230,8 @@ TcpDriverEntryPoint ( - } - - // -- // Initialize ISS and random port. -+ // Initialize the random port. - // -- mTcpGlobalIss = Random % mTcpGlobalIss; - mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); - mTcp6RandomPort = mTcp4RandomPort; - -@@ -224,6 +246,8 @@ TcpDriverEntryPoint ( - @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. - - @retval EFI_OUT_OF_RESOURCES Failed to allocate some resources. -+ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable. -+ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller. - @retval EFI_SUCCESS A new IP6 service binding private was created. - - **/ -@@ -234,11 +258,13 @@ TcpCreateService ( - IN UINT8 IpVersion - ) - { -- EFI_STATUS Status; -- EFI_GUID *IpServiceBindingGuid; -- EFI_GUID *TcpServiceBindingGuid; -- TCP_SERVICE_DATA *TcpServiceData; -- IP_IO_OPEN_DATA OpenData; -+ EFI_STATUS Status; -+ EFI_GUID *IpServiceBindingGuid; -+ EFI_GUID *TcpServiceBindingGuid; -+ TCP_SERVICE_DATA *TcpServiceData; -+ IP_IO_OPEN_DATA OpenData; -+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; -+ EFI_HASH2_PROTOCOL *Hash2Protocol; - - if (IpVersion == IP_VERSION_4) { - IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid; -@@ -272,6 +298,33 @@ TcpCreateService ( - return EFI_UNSUPPORTED; - } - -+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); -+ if (EFI_ERROR (Status)) { -+ // -+ // If we can't find the Hashing protocol, then we need to create one. -+ // -+ -+ // -+ // Platform is expected to publish the hash service binding protocol to support TCP. -+ // -+ Status = gBS->LocateProtocol ( -+ &gEfiHash2ServiceBindingProtocolGuid, -+ NULL, -+ (VOID **)&Hash2ServiceBinding -+ ); -+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ // -+ // Create an instance of the hash protocol for this controller. -+ // -+ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ } -+ - // - // Create the TCP service data. - // -@@ -423,6 +476,7 @@ TcpDestroyService ( - EFI_STATUS Status; - LIST_ENTRY *List; - TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context; -+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; - - ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6)); - -@@ -439,6 +493,30 @@ TcpDestroyService ( - return EFI_SUCCESS; - } - -+ // -+ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver. -+ // -+ if (mHash2ServiceHandle != NULL) { -+ Status = gBS->LocateProtocol ( -+ &gEfiHash2ServiceBindingProtocolGuid, -+ NULL, -+ (VOID **)&Hash2ServiceBinding -+ ); -+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ // -+ // Destroy the instance of the hashing protocol for this controller. -+ // -+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ mHash2ServiceHandle = NULL; -+ } -+ - Status = gBS->OpenProtocol ( - NicHandle, - ServiceBindingGuid, -diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf -index cf5423f4c5..76de4cf9ec 100644 ---- a/NetworkPkg/TcpDxe/TcpDxe.inf -+++ b/NetworkPkg/TcpDxe/TcpDxe.inf -@@ -6,6 +6,7 @@ - # stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack. - # - # Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) Microsoft Corporation - # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -68,7 +69,6 @@ - NetLib - IpIoLib - -- - [Protocols] - ## SOMETIMES_CONSUMES - ## SOMETIMES_PRODUCES -@@ -81,6 +81,12 @@ - gEfiIp6ServiceBindingProtocolGuid ## TO_START - gEfiTcp6ProtocolGuid ## BY_START - gEfiTcp6ServiceBindingProtocolGuid ## BY_START -+ gEfiHash2ProtocolGuid ## BY_START -+ gEfiHash2ServiceBindingProtocolGuid ## BY_START -+ -+[Guids] -+ gEfiHashAlgorithmMD5Guid ## CONSUMES -+ gEfiHashAlgorithmSha256Guid ## CONSUMES - - [Depex] - gEfiHash2ServiceBindingProtocolGuid -diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h -index a7af01fff2..c707bee3e5 100644 ---- a/NetworkPkg/TcpDxe/TcpFunc.h -+++ b/NetworkPkg/TcpDxe/TcpFunc.h -@@ -2,7 +2,7 @@ - Declaration of external functions shared in TCP driver. - - Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -36,8 +36,11 @@ VOID - - @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpInitTcbLocal ( - IN OUT TCP_CB *Tcb - ); -@@ -128,17 +131,6 @@ TcpCloneTcb ( - IN TCP_CB *Tcb - ); - --/** -- Compute an ISS to be used by a new connection. -- -- @return The result ISS. -- --**/ --TCP_SEQNO --TcpGetIss ( -- VOID -- ); -- - /** - Get the local mss. - -@@ -202,8 +194,11 @@ TcpFormatNetbuf ( - @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a - connection. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpOnAppConnect ( - IN OUT TCP_CB *Tcb - ); -diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c -index fb1aa827f8..0477a15d0c 100644 ---- a/NetworkPkg/TcpDxe/TcpInput.c -+++ b/NetworkPkg/TcpDxe/TcpInput.c -@@ -724,6 +724,7 @@ TcpInput ( - TCP_SEQNO Urg; - UINT16 Checksum; - INT32 Usable; -+ EFI_STATUS Status; - - ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6)); - -@@ -872,7 +873,17 @@ TcpInput ( - Tcb->LocalEnd.Port = Head->DstPort; - Tcb->RemoteEnd.Port = Head->SrcPort; - -- TcpInitTcbLocal (Tcb); -+ Status = TcpInitTcbLocal (Tcb); -+ if (EFI_ERROR (Status)) { -+ DEBUG ( -+ (DEBUG_ERROR, -+ "TcpInput: discard a segment because failed to init local end for TCB %p\n", -+ Tcb) -+ ); -+ -+ goto DISCARD; -+ } -+ - TcpInitTcbPeer (Tcb, Seg, &Option); - - TcpSetState (Tcb, TCP_SYN_RCVD); -diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h -index c0c9b7f46e..4d5566ab93 100644 ---- a/NetworkPkg/TcpDxe/TcpMain.h -+++ b/NetworkPkg/TcpDxe/TcpMain.h -@@ -3,7 +3,7 @@ - It is the common head file for all Tcp*.c in TCP driver. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -13,6 +13,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable; - - extern LIST_ENTRY mTcpRunQue; - extern LIST_ENTRY mTcpListenQue; --extern TCP_SEQNO mTcpGlobalIss; -+extern TCP_SEQNO mTcpGlobalSecret; - extern UINT32 mTcpTick; - - /// -@@ -45,14 +46,6 @@ extern UINT32 mTcpTick; - - #define TCP_EXPIRE_TIME 65535 - --/// --/// The implementation selects the initial send sequence number and the unit to --/// be added when it is increased. --/// --#define TCP_BASE_ISS 0x4d7e980b --#define TCP_ISS_INCREMENT_1 2048 --#define TCP_ISS_INCREMENT_2 100 -- - typedef union { - EFI_TCP4_CONFIG_DATA Tcp4CfgData; - EFI_TCP6_CONFIG_DATA Tcp6CfgData; -@@ -774,4 +767,50 @@ Tcp6Poll ( - IN EFI_TCP6_PROTOCOL *This - ); - -+/** -+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local -+ and remote IP addresses and ports. -+ -+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 -+ Where the ISN is computed as follows: -+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) -+ -+ Otherwise: -+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) -+ -+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the -+ connection's identifying parameters ("localip, localport, remoteip, remoteport") -+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the -+ outside (MUST-9), or an attacker could still guess at sequence numbers from the -+ ISN used for some other connection. The PRF could be implemented as a -+ cryptographic hash of the concatenation of the TCP connection parameters and some -+ secret data. For discussion of the selection of a specific hash algorithm and -+ management of the secret key data." -+ -+ @param[in] LocalIp A pointer to the local IP address of the TCP connection. -+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. -+ @param[in] LocalPort The local port number of the TCP connection. -+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. -+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. -+ @param[in] RemotePort The remote port number of the TCP connection. -+ @param[out] Isn A pointer to the variable that will receive the Initial -+ Sequence Number (ISN). -+ -+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was -+ retrieved. -+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. -+ @retval EFI_UNSUPPORTED The operation is not supported. -+ -+**/ -+EFI_STATUS -+TcpGetIsn ( -+ IN UINT8 *LocalIp, -+ IN UINTN LocalIpSize, -+ IN UINT16 LocalPort, -+ IN UINT8 *RemoteIp, -+ IN UINTN RemoteIpSize, -+ IN UINT16 RemotePort, -+ OUT TCP_SEQNO *Isn -+ ); -+ - #endif -diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c -index c93212d47d..3310306f63 100644 ---- a/NetworkPkg/TcpDxe/TcpMisc.c -+++ b/NetworkPkg/TcpDxe/TcpMisc.c -@@ -3,7 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = { - &mTcpListenQue - }; - --TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS; -+// -+// The Session secret -+// This must be initialized to a random value at boot time -+// -+TCP_SEQNO mTcpGlobalSecret; -+ -+// -+// Union to hold either an IPv4 or IPv6 address -+// This is used to simplify the ISN hash computation -+// -+typedef union { -+ UINT8 IPv4[4]; -+ UINT8 IPv6[16]; -+} NETWORK_ADDRESS; -+ -+// -+// The ISN is computed by hashing this structure -+// It is initialized with the local and remote IP addresses and ports -+// and the secret -+// -+// -+typedef struct { -+ UINT16 LocalPort; -+ UINT16 RemotePort; -+ NETWORK_ADDRESS LocalAddress; -+ NETWORK_ADDRESS RemoteAddress; -+ TCP_SEQNO Secret; -+} ISN_HASH_CTX; - - CHAR16 *mTcpStateName[] = { - L"TCP_CLOSED", -@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = { - - @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpInitTcbLocal ( - IN OUT TCP_CB *Tcb - ) - { -+ TCP_SEQNO Isn; -+ EFI_STATUS Status; -+ - // - // Compute the checksum of the fixed parts of pseudo header - // -@@ -57,6 +90,16 @@ TcpInitTcbLocal ( - 0x06, - 0 - ); -+ -+ Status = TcpGetIsn ( -+ Tcb->LocalEnd.Ip.v4.Addr, -+ sizeof (IPv4_ADDRESS), -+ Tcb->LocalEnd.Port, -+ Tcb->RemoteEnd.Ip.v4.Addr, -+ sizeof (IPv4_ADDRESS), -+ Tcb->RemoteEnd.Port, -+ &Isn -+ ); - } else { - Tcb->HeadSum = NetIp6PseudoHeadChecksum ( - &Tcb->LocalEnd.Ip.v6, -@@ -64,9 +107,25 @@ TcpInitTcbLocal ( - 0x06, - 0 - ); -+ -+ Status = TcpGetIsn ( -+ Tcb->LocalEnd.Ip.v6.Addr, -+ sizeof (IPv6_ADDRESS), -+ Tcb->LocalEnd.Port, -+ Tcb->RemoteEnd.Ip.v6.Addr, -+ sizeof (IPv6_ADDRESS), -+ Tcb->RemoteEnd.Port, -+ &Isn -+ ); -+ } -+ -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n")); -+ ASSERT (FALSE); -+ return Status; - } - -- Tcb->Iss = TcpGetIss (); -+ Tcb->Iss = Isn; - Tcb->SndUna = Tcb->Iss; - Tcb->SndNxt = Tcb->Iss; - -@@ -82,6 +141,8 @@ TcpInitTcbLocal ( - Tcb->RetxmitSeqMax = 0; - - Tcb->ProbeTimerOn = FALSE; -+ -+ return EFI_SUCCESS; - } - - /** -@@ -506,18 +567,162 @@ TcpCloneTcb ( - } - - /** -- Compute an ISS to be used by a new connection. -- -- @return The resulting ISS. -+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local -+ and remote IP addresses and ports. -+ -+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 -+ Where the ISN is computed as follows: -+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) -+ -+ Otherwise: -+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) -+ -+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the -+ connection's identifying parameters ("localip, localport, remoteip, remoteport") -+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the -+ outside (MUST-9), or an attacker could still guess at sequence numbers from the -+ ISN used for some other connection. The PRF could be implemented as a -+ cryptographic hash of the concatenation of the TCP connection parameters and some -+ secret data. For discussion of the selection of a specific hash algorithm and -+ management of the secret key data." -+ -+ @param[in] LocalIp A pointer to the local IP address of the TCP connection. -+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. -+ @param[in] LocalPort The local port number of the TCP connection. -+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. -+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. -+ @param[in] RemotePort The remote port number of the TCP connection. -+ @param[out] Isn A pointer to the variable that will receive the Initial -+ Sequence Number (ISN). -+ -+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was -+ retrieved. -+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. -+ @retval EFI_UNSUPPORTED The operation is not supported. - - **/ --TCP_SEQNO --TcpGetIss ( -- VOID -+EFI_STATUS -+TcpGetIsn ( -+ IN UINT8 *LocalIp, -+ IN UINTN LocalIpSize, -+ IN UINT16 LocalPort, -+ IN UINT8 *RemoteIp, -+ IN UINTN RemoteIpSize, -+ IN UINT16 RemotePort, -+ OUT TCP_SEQNO *Isn - ) - { -- mTcpGlobalIss += TCP_ISS_INCREMENT_1; -- return mTcpGlobalIss; -+ EFI_STATUS Status; -+ EFI_HASH2_PROTOCOL *Hash2Protocol; -+ EFI_HASH2_OUTPUT HashResult; -+ ISN_HASH_CTX IsnHashCtx; -+ EFI_TIME TimeStamp; -+ -+ // -+ // Check that the ISN pointer is valid -+ // -+ if (Isn == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // The local ip may be a v4 or v6 address and may not be NULL -+ // -+ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // the local ip may be a v4 or v6 address -+ // -+ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Locate the Hash Protocol -+ // -+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status)); -+ -+ // -+ // TcpCreateService(..) is expected to be called prior to this function -+ // -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // -+ // Initialize the hash algorithm -+ // -+ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status)); -+ return Status; -+ } -+ -+ IsnHashCtx.LocalPort = LocalPort; -+ IsnHashCtx.RemotePort = RemotePort; -+ IsnHashCtx.Secret = mTcpGlobalSecret; -+ -+ // -+ // Check the IP address family and copy accordingly -+ // -+ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) { -+ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize); -+ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) { -+ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize); -+ } else { -+ return EFI_INVALID_PARAMETER; // Unsupported address size -+ } -+ -+ // -+ // Repeat the process for the remote IP address -+ // -+ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) { -+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize); -+ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) { -+ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize); -+ } else { -+ return EFI_INVALID_PARAMETER; // Unsupported address size -+ } -+ -+ // -+ // Compute the hash -+ // Update the hash with the data -+ // -+ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx)); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status)); -+ return Status; -+ } -+ -+ // -+ // Finalize the hash and retrieve the result -+ // -+ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status)); -+ return Status; -+ } -+ -+ Status = gRT->GetTime (&TimeStamp, NULL); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ -+ // -+ // copy the first 4 bytes of the hash result into the ISN -+ // -+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn)); -+ -+ // -+ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250) -+ // -+ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250; -+ -+ return Status; - } - - /** -@@ -721,17 +926,28 @@ TcpFormatNetbuf ( - @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a - connection. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpOnAppConnect ( - IN OUT TCP_CB *Tcb - ) - { -- TcpInitTcbLocal (Tcb); -+ EFI_STATUS Status; -+ -+ Status = TcpInitTcbLocal (Tcb); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ - TcpSetState (Tcb, TCP_SYN_SENT); - - TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout); - TcpToSendData (Tcb, 1); -+ -+ return EFI_SUCCESS; - } - - /** -diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c -index 5d2e124977..065b1bdf5f 100644 ---- a/NetworkPkg/TcpDxe/TcpTimer.c -+++ b/NetworkPkg/TcpDxe/TcpTimer.c -@@ -2,7 +2,7 @@ - TCP timer related functions. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -483,7 +483,6 @@ TcpTickingDpc ( - INT16 Index; - - mTcpTick++; -- mTcpGlobalIss += TCP_ISS_INCREMENT_2; - - // - // Don't use LIST_FOR_EACH, which isn't delete safe. --- -2.40.0 - diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index bb345688ac..3c577e51a9 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -47,7 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2023-45229-0002.patch \ file://CVE-2023-45229-0003.patch \ file://CVE-2023-45229-0004.patch \ - file://CVE-2023-45236.patch \ file://CVE-2022-36765-0001.patch \ file://CVE-2022-36765-0002.patch \ file://CVE-2022-36765-0003.patch \ From patchwork Tue Feb 25 14:29:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57832 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 406E5C021B2 for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.9095.1740493823705393889 for ; Tue, 25 Feb 2025 06:30:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=dvs6k9F1; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-22185cddbffso114243195ad.1 for ; Tue, 25 Feb 2025 06:30:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493823; x=1741098623; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+psCwWOcN8iWxqYnz20UInlSr8Z8y7i0BiQX7u7qTq8=; b=dvs6k9F1/cCLqosYjscANbpUOkNygRJDKZBlMGX+Vfz+qN6kuf1Wp9qNvl5Krb5kDz ywc+AINku1HBYx71XrXjt1PR5PGHtPH34P7f3rEke294bKNsTgJdE1A3C6tVZEKwPuz+ HjWsR7IfhSbEFCcKkRIgcgCfKtqa0PEZfHds6me/MY/8shafeYHyXRi5f0Jerhx8Au1P ldkvO4/CquS3BKxsjEdgNf3NQiTnNnnXGIt4r4nhF8NYCRq/7xC+Dm8jowTXGd9MfI3U ZRAgfoGYWNIYY8GpV3mlIVTHD2jjmfDUqOnIfDlP++yZWAc9dpR7Fmjwj4vN2VhZcDlb 99Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493823; x=1741098623; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+psCwWOcN8iWxqYnz20UInlSr8Z8y7i0BiQX7u7qTq8=; b=ZcER33Xd3+QM2ZykNpZeiR1sOdcEj80NZDgsLQU/pXKmsjg1iRw2zz4VYoxiAAssjO GOXwhe8AMQe2n6+3WaUT8b5K9AptIEbimjWwLKzpbK0625U2mZlrx5u0fwl+Xl/VcbCb NX7+bmYun0D3JfOdb1HZcdQWpC0BU1PJdfn3C64i3vcHFPg3pr38cdprg7T7By0GoLcM C8DcVLbJMqXe1CS8GFiKvFGmvrg8p/PzG8llZ9zdpYG1V3Slft/kVb4ra8P4cRGXfGyI xJL0foHtYV00/BdRA1+dDMkrQm7GPAlb87L41dVJ6FDGnLYqELhRxkBnkhr9RR9Nb4yD klLg== X-Gm-Message-State: AOJu0Yxu5y2MlB6zougS+8oo7OTOwzVnEzbtlKHPUrDVPJWNCI4zB93h SKIFE7hqMbkHZ1mADnAYqFm1fxcHqk9V3UFV9QjeWHXFjWxU+ZT1TbepGnRok3z36+PYH4//jks I X-Gm-Gg: ASbGncsMnnrPpKKLuWYLzVVUzu7deFWaAkYtMwloN34bSFX8eHH9qKQzm4Iw4FTvTYa gcxvX1zOP84rm2GzKuRIrSlvLh884tgSJnRo4nUD5/09uuNSdGN6fWuAoVFnsrebZZmfgyAXwRN 2htuzKZVJpVXT+h6VitY3X7RRqVB9EFqP3FNeKCLaPbryR0mNKXk56/9WgjMAXhiA0dZ+wVyyJM QSnwjlEiIoGA6IP4xHCw+k+0epmLZKc8o6wxMqBcX+VSfPpT0+KH5tBySKgV0Nu2dFYbhLyKYBT q3coC/UvbZFmQGNmTQ== X-Google-Smtp-Source: AGHT+IGHmk4K2JnGIrZJnPAP+y2+2Dhl5D5UXCU6CP31lu7MSRdmUYJfEg/1C36eXcg9XaXfuO04YQ== X-Received: by 2002:a05:6a00:3cd5:b0:725:41c4:dbc7 with SMTP id d2e1a72fcca58-73425b7fd45mr28868341b3a.4.1740493822880; Tue, 25 Feb 2025 06:30:22 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:22 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/22] libxml2: fix compilation of explicit child axis in pattern Date: Tue, 25 Feb 2025 06:29:46 -0800 Message-ID: <0dc99e25c16a1e74aa80ca20132609990bb9dff7.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211895 From: Peter Marko This was reported as sucurity fix in https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.10 https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...x-compilation-of-explicit-child-axis.patch | 31 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch diff --git a/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch b/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch new file mode 100644 index 0000000000..932c0ec422 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-pattern-Fix-compilation-of-explicit-child-axis.patch @@ -0,0 +1,31 @@ +From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 13 Feb 2025 16:48:53 +0100 +Subject: [PATCH] pattern: Fix compilation of explicit child axis + +The child axis is the default axis and should generate XML_OP_ELEM like +the case without an axis. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/503f788e84f1c1f1d769c2c7258d77faee94b5a3] +Signed-off-by: Peter Marko +--- + pattern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pattern.c b/pattern.c +index 27e96946..3182794e 100644 +--- a/pattern.c ++++ b/pattern.c +@@ -1178,10 +1178,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) { + goto error; + } + } else { +- PUSH(XML_OP_CHILD, token, URL); ++ PUSH(XML_OP_ELEM, token, URL); + } + } else +- PUSH(XML_OP_CHILD, name, NULL); ++ PUSH(XML_OP_ELEM, name, NULL); + return; + } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) { + XML_PAT_FREE_STRING(ctxt, name) diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index ecaae0b436..912bcfd0f3 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -34,6 +34,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2024-25062.patch \ file://CVE-2024-34459.patch \ file://CVE-2022-49043.patch \ + file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Tue Feb 25 14:29:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57834 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40717C021BC for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.9097.1740493825078015023 for ; Tue, 25 Feb 2025 06:30:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ItOy9TDT; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2210d92292eso18130235ad.1 for ; Tue, 25 Feb 2025 06:30:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493824; x=1741098624; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EsPkF8a8xFelTx09oXlhpEnMvto7tUPlzSGXSlG/7K8=; b=ItOy9TDTAYCs1E/+q28wAU+AYRjkq4NO63C4Z4VYiabyEeKZgV1/nfVJRXXccgwlST +6xBAxE3YEa4WPHl3QJHoi9B6169ms8+v50lgJNMpjZNrnqn/54up4VdCbCLTQuUY4YQ 5efDyMvbFVMGgZAYx3W2Ru6VRe0rMLNHg6djjj7UfoNX6iRC1Zmewwnu4lPU9Ib6Ddn4 Q0/zAABbEhPqgPCU6KaAEG8zNQjH6wrbDTvZFZsOQ9fblnYIwmamEjNc0pZzhTQY0LWR bOhKAmNen6k3ED6pysOhtLk+sVaLdXP3s0A90F15Qlo0dH2NTo2+QT5QQEdlVtyj9vQb G5wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493824; x=1741098624; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EsPkF8a8xFelTx09oXlhpEnMvto7tUPlzSGXSlG/7K8=; b=L6NhHz6ByHMeXG6a2P6uVfD2QoVZq/NDKNDvb61MjtHaD+qXc8R8bztDgJ6vQnkkzp k0/L66dxDzhXSfygcu0FY5Xb787gvp4Q8EQ4pWxfc34rG3TA1HP9TTmfp36GWsxmS4eM Co5PFhxtB5qUlqHhAPkwY+X4BWbvRkbzPC1FQ/juysSTDHP47KJVWJlJLNOiFM9RpGDn mDB4bcy56s3p4vmFlyT7w2uLhBOaeIGYyNh+vGBqESXeXBK71W0sZt8skWBChJrEwIvK nmHWyCjr+sa0faRz29tPeUktNhf7jNczhd49LUp3b9BPISpg9jqVkAfGNt+mPxP/iHIU whZw== X-Gm-Message-State: AOJu0YxK9WsK7PnHZtC1SdkjMoyVwUBDZ/VxNA2eLDALlip4Nbh1rKHk ENsQZtwotBIAm2ZCmnxmomolZ+o76YRaVsiF2PyUmdTQARmlXp8qJ4otsnFDrE2xH1cqFMX/mbS m X-Gm-Gg: ASbGnctJHSlYfdD+dRuqUpHpwrKiN+GYQImsnLmKcXXU5H0xt0uDfEcgEwpeHNcimi0 TRklM9QbQBms25K3ht1311BY2C49DZxbcfQDS2OUvMlrCCiGAxzqm3qSVvNrkMf6OUxhwaNlF91 Rd87ZPbicCgKGg9LFktF6MQ+qmlNptOlbpTlmZWv0huWOpikLC1kNULVkF89I5sNxXLv52j0qmM EkUGYuIcHOxkRr0PGqqZP0zz7rUYxapJkTxUWdljzc1gOPXSAh7kIrj5Xz/r5hzQPM7AO4ZCGRZ FPbpmFUSQd3kQnEzXw== X-Google-Smtp-Source: AGHT+IGnABjVEL94SUOpLpevBfutLCqYbKwYcAhYqoMH5H3Os2EEBiBsfhZOef480bmJc/rJHtuiZg== X-Received: by 2002:a05:6a00:982:b0:731:737c:3224 with SMTP id d2e1a72fcca58-73426cab055mr27679469b3a.10.1740493824205; Tue, 25 Feb 2025 06:30:24 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:23 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/22] libxml2: patch CVE-2024-56171 Date: Tue, 25 Feb 2025 06:29:47 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211897 From: Peter Marko Pick commit from 2.12 branch. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2024-56171.patch | 42 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch new file mode 100644 index 0000000000..6c7b1c11e7 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch @@ -0,0 +1,42 @@ +From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 10 Dec 2024 16:52:05 +0100 +Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after + xmlSchemaItemListAdd + +xmlSchemaItemListAdd can reallocate the items array. Update local +variables after adding item in + +- xmlSchemaIDCFillNodeTables +- xmlSchemaBubbleIDCNodeTables + +Fixes #828. + +CVE: CVE-2024-56171 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/245b70d7d2768572ae1b05b3668ca858b9ec4ed4] +Signed-off-by: Peter Marko +--- + xmlschemas.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index a089ebc5..18e35e75 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23647,6 +23647,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + } + if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1) + goto internal_error; ++ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items; + /* + * Remove the duplicate entry from the IDC node-table. + */ +@@ -23863,6 +23864,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt) + goto internal_error; + } + xmlSchemaItemListAdd(parBind->dupls, parNode); ++ dupls = (xmlSchemaPSVIIDCNodePtr *) ++ parBind->dupls->items; + } else { + /* + * Add the node-table entry (node and key-sequence) of diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 912bcfd0f3..e9578ceb59 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -35,6 +35,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2024-34459.patch \ file://CVE-2022-49043.patch \ file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \ + file://CVE-2024-56171.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Tue Feb 25 14:29:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57835 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 496EDC021BB for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.9032.1740493826980717665 for ; Tue, 25 Feb 2025 06:30:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MwCYdggj; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-22185cddbffso114245185ad.1 for ; Tue, 25 Feb 2025 06:30:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493826; x=1741098626; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zZPkKa9P7MVpCRyGnwiIPwCKo3yXObnBerk1S6SU+gU=; b=MwCYdggjDSFjFPR4vDgj3620VLtnfBmntJhOCKtDAUgtCdautvhFHISA1LMfIND1KZ a+sISIWOjqihM+20bH0S8st337ju75QVaMw4ngy0fQPrLD1lTh+oiJHC4of4b6t7huI7 4AtltVx0EjDw9lfyeXAUpi3AM5EX8Z2VGdv1X8X2Nu9oPEH7UDfEEATW0dsCL7RXWD+U cksHPNP5Dd22eHiHwYYZHmBYqS3P/NlydNi/48UD+Hx0T7pd+PDYXmFS/PT3yFf/+3uV CEBRgJdZeuD8oTsPKL+Ihu2N9Oz0Oj+jGNnC+5QTBPbL9Ug3AKvTPPWROAAc2o2F/WyI sbmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493826; x=1741098626; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zZPkKa9P7MVpCRyGnwiIPwCKo3yXObnBerk1S6SU+gU=; b=HY94Jgoagb+wERs3Kf9IJoSygKPrD7n9G7boI2N1kwus3m6OjDQGy0hASgq+IRtiTe CQB8kukCX9V8paEhtEG4xgtdqStnpUYvSgE3FD2ZNguuSckdiqYIrpJzyFWrSwpEeSUQ YzxW+KLeN/jTwMtaQCjy9l8Qd8u3/+c7y/lhXn13lV4L3JKzxQ9/ZnneBMR5rEW8DplY j1A72DWmZeDUCPACZqsEk1VemCVLLKxleTpgjt+ZSPQTC9iypRGA7JRvVO7WnO5xIH5N YC5Yf/u7SNRpBBv/D/lZjVVthF+I2+yLB1TNflzv6/V2Tzpz3g+SKv4SDYW3Ilx3ezDi 54Yg== X-Gm-Message-State: AOJu0YytvcLlhn+m0pUZnHt5BFuvVKxlXqZfmQMdiZlwjvXCa9IH3cAq P5b8NUFMQFNhPQlRkeqGwtraB230amWhCret70y66HnBZ7d5JN/+qg5vrxMLwBcQHUaC7yPmDdG t X-Gm-Gg: ASbGncvloGbZoHnIgFFUh4HhE93Im2TqVWlr6DOzkwLdjDBWLgNApDKt0lJ3Y0quV57 4NB/FZ/gpBKJErbXqlRZmRwaHOTK72DA3vOPd0JiwCtzKRyy+aX4+WfidziPdaF10v1gab7Onfw j9d+D9iTPAygpLF7pQDqKUy8cguq8bR4TbdUeS9BjSo/7zJcnXENM+o0pj67GrbqdOiAIMMduKR Fv4PUrJrCupY9tjs/zLWSxR1oqa1vFk+2CdioUoJrP0/9jbBSbRq/MCkScS7FvTivh3QJMQHDmc r9EP7iE2JkgPIi1jWg== X-Google-Smtp-Source: AGHT+IERKW6x19LwXzHWvJMkrJBR5sGULuMhgV57u39g9Gdt8Xn1byEc6GqIHBGN+R6GyWU/1XnQpQ== X-Received: by 2002:a05:6a00:2da3:b0:732:7471:aea6 with SMTP id d2e1a72fcca58-7341411d7e6mr41586520b3a.10.1740493825680; Tue, 25 Feb 2025 06:30:25 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:25 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/22] libxml2: patch CVE-2025-24928 Date: Tue, 25 Feb 2025 06:29:48 -0800 Message-ID: <3ccd936adb928612c9721768708534350aeee351.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211898 From: Peter Marko Pick commit fomr 2.12 branch. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2025-24928.patch | 58 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch new file mode 100644 index 0000000000..6da43f81a5 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch @@ -0,0 +1,58 @@ +From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Feb 2025 17:30:40 +0100 +Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in + xmlSnprintfElements + +Fixes #847. + +CVE: CVE-2025-24928 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/858ca26c0689161a6b903a6682cc8a1cc10a0ea8] +Signed-off-by: Peter Marko +--- + valid.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/valid.c b/valid.c +index ed3c8503..36a0435b 100644 +--- a/valid.c ++++ b/valid.c +@@ -5259,25 +5259,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { + return; + } + switch (cur->type) { +- case XML_ELEMENT_NODE: ++ case XML_ELEMENT_NODE: { ++ int qnameLen = xmlStrlen(cur->name); ++ ++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) ++ qnameLen += xmlStrlen(cur->ns->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ if ((size - len > 4) && (buf[len - 1] != '.')) ++ strcat(buf, " ..."); ++ return; ++ } + if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { +- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->ns->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(cur->name) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } +- strcat(buf, (char *) cur->name); ++ if (cur->name != NULL) ++ strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; ++ } + case XML_TEXT_NODE: + if (xmlIsBlankNode(cur)) + break; diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index e9578ceb59..8f1d882505 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -36,6 +36,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2022-49043.patch \ file://0001-pattern-Fix-compilation-of-explicit-child-axis.patch \ file://CVE-2024-56171.patch \ + file://CVE-2025-24928.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Tue Feb 25 14:29:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57831 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F35CC021BF for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web11.9098.1740493828933290739 for ; Tue, 25 Feb 2025 06:30:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yInTMfk1; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-220c2a87378so96210405ad.1 for ; Tue, 25 Feb 2025 06:30:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493828; x=1741098628; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p+F8+Q7PfZVy2KPs7jF5KrttBH8OTZSbeAp2Fn7Mk5M=; b=yInTMfk1jLi39AQFdja1nTgxSpP3CtXhRFrGVlnzfuFiAn7pWDYq5wA+sCfKkOnSgZ Pl24DYmz1XgzFpZ24jSMVNYYvlQsdcKBlO9RHl9U8vemzsmwgDqCSHd4XXVtEK2MFPbw YjGd1bTz2HFf/+YTTDbVMF9C3v+dWkt0UavGVAiTd9iy52duJG8qKMPlGr4SWR9Nk/vI GBdo8JfXLIZbP0QfF4WXNmkzWUuoN4OGlMFpiJBvMMHyVHXmrmk+uAVMjPuKBZ9bIwac Xxr0/ndS4tgo012mmHXixwtCeCbEZsoUn3W1bzmmHNOzwIA40CeIjeBeTEeo5LT92+Zu zoZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493828; x=1741098628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p+F8+Q7PfZVy2KPs7jF5KrttBH8OTZSbeAp2Fn7Mk5M=; b=Cur9TB13TGeLE4OTjBDZaOKUrXVQ0QiWAfOD8GE2Y9XviUl1G9MLvE0HwbT+lMBkzU S5SCrkn8TIwFlkISv/t/IYSwV/XYTVtfdOEDJlq8WrW5g0dm3zPxaQ2hTUYwrMhCnr0h UFN6QCjsRuCsUzv+AN5nXrqfnfuWvJB94Rk6cXD6gjvP2f+VKPVCskm+0aDs7Y0amr6V 7PeHIpI/tYRSy+xL5cyG212zEkrxmppKsknYXYhDtsVK+pQX3P96Q0uAzlT5U5BR3HWS +HMbJJdj+wgeMfv3mG/RHRnKQ7L78R8gcclmmgyVzt9zrSFO2Iz9qL5FPapKQY996Eih wtzA== X-Gm-Message-State: AOJu0YwVJix0EMqnlhWiGN7ph0k2VqMf33QE9FjGHQyTxqTPury5ijmy NmuNafeFLReu6weYRWnn3+rf4KW3iDWETOXTDxcGcy6QWocF4rP2PF92ObrMbqBJ4sMvW+9em5o g X-Gm-Gg: ASbGncvsrrbuv8+r6+VdBgscmpXlKF8knpqzov4+6GLwaQk/c0N5gq3Ql1ftQJlg0el 1xnnjyUa4suY6QHZvsQmPj51enLIbo/a+iIwLq0UwyvrYDCmwVdcwedQHtBqH4/YP2FLnBhF5io C8y8jEJWD8BXCMGM+CJ8JKA4SoiOQf3qF0J08n6QA4h0SyMtv6qaGtRPgNoVAL8dYHSVggluICJ Q4btq7XsD86zi+E6BBEhja3bUy5QLkg32hhaVTxf/g4rFkpErHZ7uDR7OBz8bV2j24RbTSB9Tpj K9ki+2d3gOfkVhwgrA== X-Google-Smtp-Source: AGHT+IG15wZDvi3Fca6FW33XfQxndX+86xKIj1NQ1811qFtOBZ5dJUcaVbZxM+KLEBVJSqKymxHEpw== X-Received: by 2002:a05:6a00:3cd4:b0:730:99cb:7c32 with SMTP id d2e1a72fcca58-73426ca5379mr25907039b3a.7.1740493827159; Tue, 25 Feb 2025 06:30:27 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:26 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 14/22] libcap: fix CVE-2025-1390 Date: Tue, 25 Feb 2025 06:29:49 -0800 Message-ID: <142715b83fb2c5f4dfeeab2c6e7feccecd1ca46f.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211899 From: Hitendra Prajapati Upstream-Status: Backport from https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libcap/files/CVE-2025-1390.patch | 36 +++++++++++++++++++ meta/recipes-support/libcap/libcap_2.66.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-support/libcap/files/CVE-2025-1390.patch diff --git a/meta/recipes-support/libcap/files/CVE-2025-1390.patch b/meta/recipes-support/libcap/files/CVE-2025-1390.patch new file mode 100644 index 0000000000..339feaba92 --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2025-1390.patch @@ -0,0 +1,36 @@ +From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Mon, 17 Feb 2025 10:31:55 +0800 +Subject: pam_cap: Fix potential configuration parsing error + +The current configuration parsing does not actually skip user names +that do not start with @, but instead treats the name as a group +name for further parsing, which can result in matching unexpected +capability sets and may trigger potential security issues. Only +names starting with @ should be parsed as group names. + +Signed-off-by: Tianjia Zhang +Signed-off-by: Andrew G. Morgan + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878] +CVE: CVE-2025-1390 +Signed-off-by: Hitendra Prajapati +--- + pam_cap/pam_cap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c +index 7e8cade..7b3d2d1 100644 +--- a/pam_cap/pam_cap.c ++++ b/pam_cap/pam_cap.c +@@ -143,6 +143,7 @@ static char *read_capabilities_for_user(const char *user, const char *source) + + if (line[0] != '@') { + D(("user [%s] is not [%s] - skipping", user, line)); ++ continue; + } + + int i; +-- +2.25.1 + diff --git a/meta/recipes-support/libcap/libcap_2.66.bb b/meta/recipes-support/libcap/libcap_2.66.bb index 7534063b7d..42dacb301e 100644 --- a/meta/recipes-support/libcap/libcap_2.66.bb +++ b/meta/recipes-support/libcap/libcap_2.66.bb @@ -18,6 +18,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${ file://0002-tests-do-not-run-target-executables.patch \ file://CVE-2023-2602.patch \ file://CVE-2023-2603.patch \ + file://CVE-2025-1390.patch \ " SRC_URI:append:class-nativesdk = " \ file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \ From patchwork Tue Feb 25 14:29:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57833 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56ACEC18E7C for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.9034.1740493829435648234 for ; Tue, 25 Feb 2025 06:30:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WFBR9YKn; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-220c4159f87so81012755ad.0 for ; Tue, 25 Feb 2025 06:30:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493829; x=1741098629; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Pjr/E+df1iHcEX31xK6ri1BSMrCEZL9GB0FzGd2JviI=; b=WFBR9YKnwOCqKCI6kJ66nnD/19y1qWGgditvw3PCTyECaE6jsYsPW+2s4fyoBTjfBc y5BWSeoHwft8PILdHRMQKMVvcMNchn+xK9Rd7wpqjLvFNGVybIEGSCMFxRz35thPcLAM CmfbBqFsKl40jXdMYai0ce4wsryLV23VZQ+72OGHl2NPHF1RMzyYaX60gu7svrd8GlsJ gL6sWV3zzMkN5OuyIQy5sOcQxOkF9lvxEAS41aeNr+WFGo9D4uhOYErhCD5/NOw7uoqK 8FX33TavR+EV/JDTt1gmckUPYA/ibfs0WOtmVxSN/sKDUxtM3VFwlINlDh9YaY2J5z+x i1kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493829; x=1741098629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Pjr/E+df1iHcEX31xK6ri1BSMrCEZL9GB0FzGd2JviI=; b=Bvd3Y3WPrVu+ALPfZjYWJqVeSbDoxLhO/G1t3fyDirLhZtNkVXDi3suygmFB6uz6Sf KINJsEmKybrUh2ewxOd4d9gjLtJEdxt40r2MCnNYYD3z2Pid5rjuO5up4q4/kgmJXQ6U 6vxqi76inm0lzaAGSx9uHPc05bLT6C2m+/WEBj7sAf8SrLeC7hCLZxgTgg8id00nx7LB ptdnemZ3Tsx8J7plO+qLkxJO7nX3/qhheSF2r9ZQ3zsxaPTxWUF4vrmhrKcnUnGilqFo OCNmkEBlup9b1hF2XjMaEVzC2YB3Upfn/0hLpuMk33naqq8nYu1rqRmy4fhxQ+97cHBo 6p1Q== X-Gm-Message-State: AOJu0YxkxcNFP6/aEFGYO1tCgd+uDijSOSFwiI4/BIkLKiX7S3CjysAg Psa8XGIF6AMqibV7enTB9Tgnf6Gsj962IevtwC0EHFLowKBHIwV9Omo2v3eqp/qyVrSXTR6Nxdr 6 X-Gm-Gg: ASbGncsJ9uNFt2a8HqpJWp2/Ri5bODrsHTZ7poRuLs2nEgJTIJVN/51Ym4xdpc0ug2g /ok4+vVn2HJ+JhowKNaIn2C9Na5MmG9uB6IxmsPr+HajvbvGQ+DV4QQ85cp26N5yhig3p6o4H9W Ajh6GEAhp3YPf+KCZfeyTfY3nGwZs2snuTAu/9FYaftnKvEbvEHrJoX1mTNxM1g4UjHDdb079VA E+NszNy7Gs2lFqjOw4KiFNpluaoqGurYjJOneoaRRN9gqrF2NdOfxcvqTd2togy0kbIa6Knmj7J ZyQscQwXdALQSrtEaw== X-Google-Smtp-Source: AGHT+IEYpKR50NUTUVYfjRXUnEAsnHZ4ZiY0okWyoUpSxHest9ekSau9NvB0QH9NSBEPqohjXMKkmQ== X-Received: by 2002:a05:6a20:9e4a:b0:1ee:d631:fead with SMTP id adf61e73a8af0-1f0fc247ff1mr5805160637.19.1740493828658; Tue, 25 Feb 2025 06:30:28 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:28 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 15/22] ffmpeg: ignore 5 CVEs Date: Tue, 25 Feb 2025 06:29:50 -0800 Message-ID: <220a05e27913bf838881c3f22a17d0409c5154a9.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211900 From: Peter Marko There is no release which is vulnerable to these CVEs. These vulnerabilities are in new features being developed and were fixed before release. NVD most likely does not accept CVE rejection from a non-maintainer and non-reporter, so ignoring this CVE should be acceptable solution. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index b5b11496f4..bded23bc35 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -57,6 +57,24 @@ SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a # https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018 CVE_CHECK_IGNORE += "CVE-2023-39018" +# There is no release which is vulnerable to these CVEs +# These vulnerabilities are in new features being developed and fixed before releasing them +# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962 +CVE_CHECK_IGNORE += "CVE-2023-46407" +# feature (evc parser): https://github.com/FFmpeg/FFmpeg/commit/34e4f18360c4ecb8e5979cab8f389478d8cd7819 +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/4565747056a11356210ed8edcecb920105e40b60 +CVE_CHECK_IGNORE += "CVE-2023-47470" +# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/d2e8974699a9e35cc1a926bf74a972300d629cd5 +CVE_CHECK_IGNORE += "CVE-2024-22860" +# feature (oqs audio decoder): https://github.com/FFmpeg/FFmpeg/commit/7ef9d31071021c05e6b792af3f25b7b9ceaa9258 +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce +CVE_CHECK_IGNORE += "CVE-2024-22861" +# feature (jpeg xl): https://github.com/FFmpeg/FFmpeg/commit/0c0dd23fe1102313742092c4760596971755814e +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7 +CVE_CHECK_IGNORE += "CVE-2024-22862" + # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" From patchwork Tue Feb 25 14:29:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57836 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CC85C19777 for ; Tue, 25 Feb 2025 14:30:32 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web11.9099.1740493830696998199 for ; Tue, 25 Feb 2025 06:30:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3P2be8u4; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-220c8f38febso119819735ad.2 for ; Tue, 25 Feb 2025 06:30:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493830; x=1741098630; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+sDEG9zXeCPgCIPhtfWn0Td5h6445l/lzmrwUEHiLxU=; b=3P2be8u48bXtDjLglTIKxdEaFy6o9tbiojRD5mec58VEzsdNiJ6rShSuZkCrwDUkr4 mZh4kZ8r/HVLt6oaZPrav6A+yK7KMcqaKeEt9E/WYkXlPjMhNDajhcMeXpsGFq3b5F7a PO3vbk7KLDCCE1wmxvipe/46nfSqWi/W3ERhpt7FSERrPrkVs+L+KhvzWgPeyt9TLZoM U1Pff7BjXfuP0vnCi8PdJu5OoOIj0iJom156Vyas5aP9xoVyWENXmUX63lE0a68Vya1C /dDv7v3CMmpRQ9dNNVDmp8Nw7Vm+x8G2yGfZo/7m/C4ciOjsvlz2JRAQsyAS66snk5JO camA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493830; x=1741098630; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+sDEG9zXeCPgCIPhtfWn0Td5h6445l/lzmrwUEHiLxU=; b=XsUrwDgtu+qAuFU0otx1+uzMOpMDkaDKWKYfeDik5fYPNzvBxr2jouageU2/Dql/o2 1BELOKoBsN/TaDCjeRd+6yfoOrU/QI22B2IhDt7xxAD4SjpwCgScrLoN7xnOM5N4wSDB WVr6Ad1dshXL2kcKuAzE50j5JaQ0t1S8il4hGTcvXHpeGWcvT/W4qsu350nmB1Z3dfRZ ieLBlArl2Wu0cJXvXWkLlfRiRk6GBc4QKQnv5sBCxtyNQcplHEM6uuT9zxj02jHNEH1E cr667UULAz3Dj6GZ4hVLSwmA8CooyA4GN7kmNUaEz515NwOqvKT8hORxIbxKEvgLDdwy x3yA== X-Gm-Message-State: AOJu0YzONqRUGFddQ/pvj9ZIy8GjIu3qvzXd2NONxM5aZuRNQBlWEzGs bMvX7RweQzqqBe5ZSr7w3eflfP5Rf708h27GAdmNaBKI6Gyw8/NcrckOydp4wiuUwqt6oAYs/Ok / X-Gm-Gg: ASbGnctIbqBJYGh7gtUTVW2oMByXrXS8Jl99fC2dtVebn2eBhH/9mL4fIdThvIF0txN Ht80W2DlW9UOVfESnlfEPLRMjNNG0KPTx2eipodjC17UtgK6UKUdqLkMdUgwxr+DdhZmd4aQ/aX l8DJSqRDBYuD7A4tvhX9T01u1WvMx8w0W9WWjaiwlegjUnkFaCTlBz/waaK/1mnXlE9ucuIvoxR 0HGeZKrmbWDG1Km0RTrXczAPmHln0b3AbJnBKz1ot/RQ0X8X85T6FW84zQDnHguppQNG0GgX8sJ v57+xr83RvCCrwfb/w== X-Google-Smtp-Source: AGHT+IFrHdAN3EwCqMk4+/dIVVhg8dpvmY61sPyCgn6NQbxFEKQL3clpgS9eL+nx4eXg99NNUbqoXg== X-Received: by 2002:a05:6a00:92a4:b0:730:9446:4d75 with SMTP id d2e1a72fcca58-73426d77e8emr23193680b3a.17.1740493829997; Tue, 25 Feb 2025 06:30:29 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:29 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 16/22] ffmpeg: ignore CVE-2024-7272 Date: Tue, 25 Feb 2025 06:29:51 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211901 From: Peter Marko This vulnerability was introduced in 5.1, so 5.0.1 is not affected. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index bded23bc35..900545a5f0 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -75,6 +75,11 @@ CVE_CHECK_IGNORE += "CVE-2024-22861" # bugfix: https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7 CVE_CHECK_IGNORE += "CVE-2024-22862" +# This vulnerability was introduced in 5.1 and fixed in 5.2 (backported also to 5.1.6), so 5.0.x is not affected +# introduced: https://github.com/FFmpeg/FFmpeg/commit/8a5896ec1f635ccf0d726f7ba7a06649ebeebf25 +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 +CVE_CHECK_IGNORE += "CVE-2024-7272" + # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" From patchwork Tue Feb 25 14:29:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57839 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6205EC021BB for ; Tue, 25 Feb 2025 14:30:42 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.9101.1740493832236895931 for ; Tue, 25 Feb 2025 06:30:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=H6IOpx8V; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2211acda7f6so127635925ad.3 for ; Tue, 25 Feb 2025 06:30:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493831; x=1741098631; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WgyPLgVwuqkDAYH8iUe6eILGpVkRFjiBciWjILnGzQo=; b=H6IOpx8VRGcVwYxR2BbNKLUyowkZzE+y9lxPlJzneCa4sneJpkfpo7MK6Nx+iNoP9C 5Mi+xYkH6MdKuWn8IRb7xZsIQcTGQRVYmk/CZ2cEJzeCrGSs6QmeFsYiMaWUHtmSMF19 78dfS+ECUHmb8dQ5pBtOPzgdFGi5K2ZwFy84shZVsugUcEn8kc/uQYsjJuBsmMWV2Uao Au3x6Wpq3RJdyyYKRn9AD0woGLLnPBdIpO1ksJTnzr74BmW0xyqFVdtoPMrqM4Dj5NnS 0EiZrwzhzBSxvcQrJfVfES0Owv81mQ4UAzmBsKEKVU4qZdFLw0kUDetxNKtl51YKrOsB ze9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493831; x=1741098631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WgyPLgVwuqkDAYH8iUe6eILGpVkRFjiBciWjILnGzQo=; b=xMaNwDtenfhUixteTEwW7ogJfLRvsndDCIbZIvhYjWFX5YI0QBYClOFTx+cffq9k/X dFPyv2XZNNmCXq8sZtVGVEUyFM+X751HgqB+nCirVBQOUHBwNIJcejzn7aIzvexW/+yN xXNx9cwVYpWv+0Uk4SXFLE53kmO5hx6jYmYstuDodN5q/k+s92DwDFuaC0AHKj8vz1od Gv/SFcg44mjPET2yQ1X4/4RmGRvkSF7yoyJJt5v1sqa7Aqh/E18X8HbvkHdEjzyKuNGw XBdP+0iPN31gGA50pBe8t2Vv68x5A3tz4NQMzDSwcawOscSIwVF9nX4qGS4HRTt6149u 2bbA== X-Gm-Message-State: AOJu0Yx286r9AKB/4nghOwuVu4Tp1D7dJMLvLlNskyGzoQoWxn5E9zJ6 EKQBknXVN9Ix6bQizJkknsoRm7NRJSYrC05oT5aaBG4caw/+Dol8GKT+hQNv1vN9CR73sKDbXsB 7 X-Gm-Gg: ASbGncsEc4GlaaX0hx1yA83Ed/5iZ/SBm/JRr3+uBBHQvxk4VDKC/Y3k1XXDrmnnlVm hwyQpQAyv21lYeA7MJAfm6/bKKh2R08bf8wIVksNcQbMHVOF6FcZRuxfw3IeDP3GGBwcLEt7hDa OoBc1qNrfP+TgflgxUvXeKOzYRR5rSlVyqgXjGteo20ro0v8WP4i5dx4kVbrDxtqP0jtu+skxXS y56xygTxLE7LkjY6CSxEYuRXOK46/Hn/CmZblScdbsfeHOXwouTMAyvWbJLV3KDGXv4Dy5r1fiZ VOSbzKV/5cWngdiwMQ== X-Google-Smtp-Source: AGHT+IE9sVhVgLOI+QWRvr2dGvLbSAAMLKUNCbkP9+ihXfKLxFDU9pgSn5AdYmoAgylgAhRGmlShtw== X-Received: by 2002:a17:902:da8c:b0:220:d469:5380 with SMTP id d9443c01a7336-2219ffa7c85mr268455655ad.40.1740493831436; Tue, 25 Feb 2025 06:30:31 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:31 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 17/22] gstreamer1.0-rtsp-server: fix CVE-2024-44331 Date: Tue, 25 Feb 2025 06:29:52 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211902 From: Archana Polampalli Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../CVE-2024-44331.patch | 44 +++++++++++++++++++ .../gstreamer1.0-rtsp-server_1.20.7.bb | 4 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch new file mode 100644 index 0000000000..e78fef7b93 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch @@ -0,0 +1,44 @@ +From aa3e97d67c05d4648ea58c7ff7675e24a81ca72b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 24 Oct 2024 20:12:55 +0300 +Subject: [PATCH] rtsp-server: Remove pointless assertions that can happen if + client provides invalid rates + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731 +Fixes CVE-2024-44331 + +Part-of: + +CVE: CVE-2024-44331 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/aa3e97d67c05d4648ea58c7ff7675e24a81ca72b] + +Signed-off-by: Archana Polampalli +--- + gst/rtsp-server/rtsp-media.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/gst/rtsp-server/rtsp-media.c b/gst/rtsp-server/rtsp-media.c +index 88bf7a7..e482b44 100644 +--- a/gst/rtsp-server/rtsp-media.c ++++ b/gst/rtsp-server/rtsp-media.c +@@ -2737,15 +2737,13 @@ gst_rtsp_media_get_rates (GstRTSPMedia * media, gdouble * rate, + first_stream = FALSE; + } else { + if (save_rate != *rate || save_applied_rate != *applied_rate) { +- /* diffrent rate or applied_rate, weird */ +- g_assert (FALSE); ++ /* different rate or applied_rate, weird */ + result = FALSE; + break; + } + } + } else { +- /* complete stream withot rate and applied_rate, weird */ +- g_assert (FALSE); ++ /* complete stream without rate and applied_rate, weird */ + result = FALSE; + break; + } +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb index 2901be69d2..a7d17e3b1e 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.7.bb @@ -8,7 +8,9 @@ DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base" PNREAL = "gst-rtsp-server" -SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" +SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz \ + file://CVE-2024-44331.patch \ + " SRC_URI[sha256sum] = "2c8f46aa9df2245e5b39a2082be8e9d3edc0f61bc34f667803d7a21da1b51987" From patchwork Tue Feb 25 14:29:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57842 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86303C19777 for ; Tue, 25 Feb 2025 14:30:42 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.9104.1740493833643245943 for ; Tue, 25 Feb 2025 06:30:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=kH5KB9/Z; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-220f4dd756eso119602715ad.3 for ; Tue, 25 Feb 2025 06:30:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493833; x=1741098633; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XcK+UlkJ9DuzJ7veIu7ZXfJqtlJ76omeUzGDWV1ApI4=; b=kH5KB9/ZXbf6/oOSfaVGZhv5u3b8Ov9dJavMA+iUWA58C70kOCjfDU5N5yJjZy/hjn /wkXYTx5yEzflJP/D8CVuSP9gPJPXR6iB74HaXFB0+xxsZDFnCLIIJr0pW9NqcZs0qJF t/Wz7ULeMy4Iyu6wK/TPhik/1e8zrfqm/U4lwHjOyqoMK1HhO6vkIWWpfonCeokhZTzD +Q3bZOejmKtIBI3ijS+Igc+SQOxje7QQjQ/4Q7QVRbilJZ9dVjdXHTB/dN+QP4PBOoBQ dk2MqlgSPjSychPQly7z+hqJ/oLvGAjedWeVjk9SjoW1TlmfUHj2ZJiGMcOFKsU/yfCa /M/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493833; x=1741098633; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XcK+UlkJ9DuzJ7veIu7ZXfJqtlJ76omeUzGDWV1ApI4=; b=tzk/KSsAAJA8sG9p3mrajft7DQMln2gU7D2cmTHRXZ6Rt0uLNevVFCbhQ1pYH/uA48 /w4aOt768kim/l7GOKARw1TyM5GXHeSVsOZvm6pfICII1xHqoYKXhVyiXP3t+xp4jHxZ /kubzVTox5ChM2R4RoioKGZvROhDOvVvzoC9LMMRw9fsASjxvU9yDa1SXmzRsDQ6hkKB 89kmInpymANIOzCipWMDTbkAgfiHlNX+bl51+04O0qML2NiiYnxzlntxAZG7fpxIqUlY MGn1HN+vs/SFoHLcH7bm3qFdm6RRpmO7iy8RnAjXAWh2faLtXFownpRtMVI9RKzoNCt1 l3HQ== X-Gm-Message-State: AOJu0Yx5BGChfKyz9Hs/77jpPYoWrWnx7dAa2alMDIXvoDZKeHcQ2bFf OnoErl8mWeTmP1aFolWLxO+zazM6g6rPH4Yz06Xo3rI4UQrPQaI+6oPAUKvedV3qTTeBLDgCD0j g X-Gm-Gg: ASbGncsNdw6SGOhKlISopPxg7x2BCxocr3kO+kRmbVU0n0+KtjsDoo8p669qtwXcwF+ Btt+5qy9iKKic/cQ/N7iY84M2x1nh46moV2UzH/lzWTIncoqPUnu8zweM0r7RGqB5E5+rMOHO9m StY0WF4vyi0ME6ZQ89x05usVFUwZ8lxosQtBvwTMAr/C4K7gnVJqsyjM5IFU2uoAOsP90MxIQhg wKbywhqdXUBsCbd7ehmcYgPcQIs2YYK8ghJEcXOUJpRw9rk+7Ej5pS9Vgn0bLrrUmBh/79dPDAw dG343VZelyHDlPdgOg== X-Google-Smtp-Source: AGHT+IGVJq093sUAIbslkl7ARF692UvPcmEagfgknWMg/HPcscxQF9TrNL7IbyYpE5pd/0KCHFFGeQ== X-Received: by 2002:a05:6a21:3985:b0:1f0:f983:6cbe with SMTP id adf61e73a8af0-1f0fbff6980mr6658251637.3.1740493832876; Tue, 25 Feb 2025 06:30:32 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:32 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 18/22] ffmpeg: fix CVE-2024-36618 Date: Tue, 25 Feb 2025 06:29:53 -0800 Message-ID: <46680bed23ef6f529c7e554b5611a7c098fce8a9.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211903 From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch new file mode 100644 index 0000000000..941b38260a --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch @@ -0,0 +1,36 @@ +From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Tue, 12 Mar 2024 23:23:17 +0100 +Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX < + INT64_MAX + +Affects many FATE-tests, see +https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu + +Reviewed-by: James Almer +Signed-off-by: Andreas Rheinhardt + +CVE: CVE-2024-36618 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857] + +Signed-off-by: Archana Polampalli +--- + libavformat/avidec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/avidec.c b/libavformat/avidec.c +index 8584b4a..b0fe7df 100644 +--- a/libavformat/avidec.c ++++ b/libavformat/avidec.c +@@ -1682,7 +1682,7 @@ static int check_stream_max_drift(AVFormatContext *s) + int *idx = av_calloc(s->nb_streams, sizeof(*idx)); + if (!idx) + return AVERROR(ENOMEM); +- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { ++ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) { + int64_t max_dts = INT64_MIN / 2; + int64_t min_dts = INT64_MAX / 2; + int64_t max_buffer = 0; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 900545a5f0..aa317513a1 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -47,6 +47,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36613.patch \ file://CVE-2024-36616.patch \ file://CVE-2024-36617.patch \ + file://CVE-2024-36618.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 25 14:29:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57838 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61FFAC021B2 for ; Tue, 25 Feb 2025 14:30:42 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.9041.1740493835159781588 for ; Tue, 25 Feb 2025 06:30:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vjqSiZCV; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-221206dbd7eso118032055ad.2 for ; Tue, 25 Feb 2025 06:30:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493834; x=1741098634; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mgnFRWm0vs/xm16bXeKCEfA8DsPGwmdNGZLw40TAkNo=; b=vjqSiZCVkyQlHjB4z5qx3TxdMbo3bGe3dcEuLAV8SPLx8DV9zVk72aVQp+4i4A12rS qYuK/gDgfPh80L8tQ1olzhNb2cQKdyOkkJqNy7uvMz1ezQZTscL+UXyLWKZdZodRE4XK W7mw/nJIkm65jZ4R8wAHqrEfIeLnsEluQkm+zByuCMGsfUgrOaqEVrvsM+dwh53KYaOC k2ccAxp09EcHC21E6fx/tShVUa/y16kVrhOxYOP5VMO7p15NJBgvoofOCh6E1cfH22sZ ZCOskw3wBEMhLtMVVNevluuhYrVUkZD+5YESRp+Ayi53IO3ibbbobj2g4kLzpXcGDwWs yYcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493834; x=1741098634; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mgnFRWm0vs/xm16bXeKCEfA8DsPGwmdNGZLw40TAkNo=; b=wIyGaqTsSTHD3xOfIdo7D4SgIW4a4eAcqwo8Aqx/Mh1GarYkDQFLW56/7s+3u9Ze9L M+ITN/2nY6b7h8H+vYl3ORGIQkkYTrRSSwB65KAO8ufNfRd09+4ykayXqwv5dJngI8qc h0e6tgJy1FTQ04HitEAe53IeHNLX/yCV/569C//oIthma3TktBqsit8HPKR7UJ6TEgtC mpJ04WHatDNvNZGG4/cBDhngpj+/2JIBfZGLAN0XpGBS5SNAf0vI92MttaHFAy09A50a d2TUmcmIN8aZVyAoUfeCi36LpmRqWpFLssJ67t/UMpCyakOTXKOb40YU34z46a/1Vj4M LSqw== X-Gm-Message-State: AOJu0YxqhoKy9b0WsWaW90yyntcgBJq32W8NH8LO6yN6ivED837p4SLP DQIJDmdbtWotPiue+Pl6IQPFe8WQhMTNdtEo6qEW9KQ4k3xpuj427epk7+bRN/YxBfBVG3O9yM1 r X-Gm-Gg: ASbGnctZUL2BMC7GyYRTkSWS+qQAauUFSgWTVuwznUuO0cyxAGIw0GTI7zAUTbS9vo3 a6zrHFnQDgVDrPysVWXXhhslhmlv3tNjknZiGCMTdJLIiXW9ZSu/4hiWm846TzJcHn7jQ/Oy4Jo pSK2VRUoGR6OSNO6sC1V0HlU9MajArKwocuxDw+E66kZ2Nj/wmzrqQOlmxlUjDCxM8Mlze93x5s iUjirgdWu3vrcXNVSRW6paOwEbv4W5g6Om/knw+isqoKU1dHBSALX2xyOZGlcxjgZnezdRaGTgr sBSdfoebWndjyjpS1A== X-Google-Smtp-Source: AGHT+IEvELaHcxHmIv2O8fJIBBM4RVMpNQP+oGMRaXmLSfM+W7BMX1P9PQdBBf4YJYGepdIz3aBRDg== X-Received: by 2002:a05:6a21:7889:b0:1ee:8a68:f83e with SMTP id adf61e73a8af0-1eef3ca3ee5mr32453122637.20.1740493834396; Tue, 25 Feb 2025 06:30:34 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:34 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 19/22] ffmpeg: fix CVE-2024-28661 Date: Tue, 25 Feb 2025 06:29:54 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211904 From: Archana Polampalli Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-28661.patch | 40 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch new file mode 100644 index 0000000000..fd5009bccc --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-28661.patch @@ -0,0 +1,40 @@ +From 66b50445cb36cf6adb49c2397362509aedb42c71 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Fri, 16 Feb 2024 11:17:13 -0300 +Subject: [PATCH] avcodec/speexdec: check for sane frame_size values + +Regression since ab39cc36c72bb73318bb911acb66873de850a107. + +Fixes heap buffer overflows +Fixes ticket #10866 + +Reported-by: sploitem +Reviewed-by: Michael Niedermayer +Signed-off-by: James Almer + +CVE: CVE-2024-28661 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/66b50445cb36cf6adb49c2397362509aedb42c71] + +Signed-off-by: Archana Polampalli +--- + libavcodec/speexdec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index ee95417..5b016df 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1419,8 +1419,9 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << s->mode) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0)) + return AVERROR_INVALIDDATA; ++ s->frame_size *= 1 + (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index aa317513a1..2048e51962 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36616.patch \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ + file://CVE-2024-28661.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 25 14:29:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57843 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A757C021BF for ; Tue, 25 Feb 2025 14:30:42 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.9043.1740493836943545922 for ; Tue, 25 Feb 2025 06:30:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PXF29SHN; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-220c8cf98bbso34252965ad.1 for ; Tue, 25 Feb 2025 06:30:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493836; x=1741098636; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=n8Xj/KITlVKL3r5MY5WIyINP5lj9iU1i3ntkfR97Q1o=; b=PXF29SHN5670VZr2nwysn8KpJIunE4ntClhO8X5uBAW6T+GClPX5iS7YOKCEKyYxNK oJW0phyox0FZz2uR9iKu0cWETNoJwJlorXsMC3zUisu5XXYR3kjNC7gLMM5kvRBDNF/m FclpOoGAkMHvHUvXG3LQ1ZAFJu5p2ejECBRWgjsqrsV7y4Q6zNbmeVtloaemRPxwWmSY SUyLs0HJyrR68lSTXREroVXZD83ygT+vGZhjo62cW214gLUl3IXP1p9jRL3hn6EGLHTV QcCt/mjtAnNNwkSal9eCaUjsYvCgZPTOdZKHWMHVhzUftPrQgwyN1mehpdr/Sc2+gwsr 3kJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493836; x=1741098636; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n8Xj/KITlVKL3r5MY5WIyINP5lj9iU1i3ntkfR97Q1o=; b=v9GgjcDqNnM+SakIuOxVSVEMdwHvTsLpzgYT9B/hgVO2a9HBQowfTiJlv/NV0TKH6H 66/2PRjgPGgHHJoxXXzN9lbuARtxe9E8a4YgkKu5iohPPN+xAcKH8jbNG4mTxPesCZaG v8fEfw09KvQMD6Lmenzy09ivakNwlrcrdul431G58PXGfeJbRqk/UmP89oUWi/FQE9xL yAomT5hjbiV7QxRR1THrytznnhuqeXJfsZ6Z1nFxyQ0LKw1MGuPFCqRhRa63bG5VNQH9 8kwG6rdsYTrWEFO9ciPtrNmfiND03XvzC2VHp6uiD1sLMt8xzRiddj+QJVEg44K9r77G y9fw== X-Gm-Message-State: AOJu0YxNUwPAT3WOqOj+U9GpMl0clfu3zQSmtTINWVRQ1+Z8P+b0/uAR 2Sm9mQAyaOV0xJVLuPy3KaBur8etbpZwMlID0oxc05/rdtGtULKRiXx6iZM9AiIw1ELvSiMGGTn z X-Gm-Gg: ASbGncs7gLcoPdTacY6GUY/T1HrpM1heY5HZkohcbg6xHg4qfPuW2lQezqD03yZmhJr TjV4Pf0RIyuJL0n7/w6fw5RJAa4auk0nsxwiQL1eaK+WWXrplUvuhd4NTimjKfa6R8MDjxEglPo tW/6tNTWC7xzkGtsL1xJNxa7lo58oTNyOzDHcA80IT0Y+xC1S23ybZOMVvHq44YV7u2ZKxk/GWB UdjpHJBHVQRULjLQTJDVsw8+ruhI3zHeSkTrQbpcgqAi+GKD+73yAy3KoWnOOH89wcCasVYbKOZ pHAS/jUlciXuxeT34w== X-Google-Smtp-Source: AGHT+IE3IkFsNWdmedX3fmfj58sucEWBaJaRtdEe7Lp864m5BiGXPzvho+pfPQ4yoietGcQVoWpLug== X-Received: by 2002:a05:6a00:2e05:b0:730:8a5b:6e61 with SMTP id d2e1a72fcca58-73426c908bcmr28635544b3a.2.1740493836105; Tue, 25 Feb 2025 06:30:36 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:35 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 20/22] ffmpeg: fix CVE-2024-35369 Date: Tue, 25 Feb 2025 06:29:55 -0800 Message-ID: <3efef582892a5a9286041837098b80aa59d1b688.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211905 From: Archana Polampalli In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-35369.patch | 38 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch new file mode 100644 index 0000000000..b408ee2edc --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch @@ -0,0 +1,38 @@ +From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Sat, 17 Feb 2024 09:45:57 -0300 +Subject: [PATCH] avcodec/speexdec: further check for sane frame_size + values + +Prevent potential integer overflows. + +Signed-off-by: James Almer + +CVE: CVE-2024-35369 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c] + +Signed-off-by: Archana Polampalli +--- + libavcodec/speexdec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index 5b016df..f1f739a 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1419,9 +1419,10 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0)) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) || ++ s->frame_size > INT32_MAX >> (s->mode > 0)) + return AVERROR_INVALIDDATA; +- s->frame_size *= 1 + (s->mode > 0); ++ s->frame_size <<= (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 2048e51962..2173105fd3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -49,6 +49,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ file://CVE-2024-28661.patch \ + file://CVE-2024-35369.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 25 14:29:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57841 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F100C18E7C for ; Tue, 25 Feb 2025 14:30:42 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.9045.1740493838620160987 for ; Tue, 25 Feb 2025 06:30:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1L+PeQuJ; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-220d398bea9so90738845ad.3 for ; Tue, 25 Feb 2025 06:30:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493838; x=1741098638; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IQTstOI4GlOpnwRORtNVHPwVtZ5oYfmYcuO2DnLWqpw=; b=1L+PeQuJj3HedcF51wjZCHitUQqs2kQrOlrlcRE01r5MGnIv0Zj8/BbrVMGXtLibFq 2SYW+Wetah9b+aBPVEPs2W7Ga5gpUE7664LqYQs0YUdqYIm8ul5QTGMJI3s1TyyOGTht 16oS3Z3a0PvrGG1pbQvjm4wtZAzThU6Tgzvc9p68rTGgRcATAB3nHluqSdfdDFlMk2Gd 1yxtIeZYBJPVWgqr+h2xzd7gvGBSJ1pIbK0YdsHbBSPp1XVGdOUisMdCxPLUeWuvndnf KB+g35p1C+L5jllq33u7ltWp5OuQ3TvgKgeGaCbvNJ5GzGvPJ/4oa83EZxnaSQbyJQYO Y3fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493838; x=1741098638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IQTstOI4GlOpnwRORtNVHPwVtZ5oYfmYcuO2DnLWqpw=; b=pJS0A8NyMAUKb97eJluEbki5HDLxJWSdEn9XL3TMmxn9+U2oVtLFV2p+adA6PSBd3Y ODflIkoXhxggzUQb2tnqrqyj9XObv6lwMKJA8RZjESP7gF4Z7aCKuJcKFOOMBBh0i+Be 8vSp7qw4YIC9rEPQuB/4rBeRhlxtVPkUA3HK+9Nlt2qSG5W/hgznIfReeV+5VXT5SbUE /nTKKqyWIXzmsgWMbgHim7XHB/ka/BZYKVXJLwQOd5h/gQdOcaPx/tQNaPuH6bXfdzH1 H16MwOgQarVBj71NnMFlGv2ZtYC7fTlvX49aWilWIDjfYIh1HewAo2tbvV1qn7hGsolH mTZA== X-Gm-Message-State: AOJu0YzJx0XS4kHdx+LQjbGNw3ItGgZd/ZfqvS8Lq3ILLpmPhGExr/X7 MXVpGAvqoAQv2fRWqHTaGINTUaqVVp3oAvnK1hCZwbeFJzPG0HBh+uEDjwR5QoHu88/HUMJ0o8X F X-Gm-Gg: ASbGncuTaPA8gHiH30XzOyB9SIJJoim6EFvBo87x0LCUMfZC+XkbApkSYRw5xnYDIU0 F5gwm3F/qiE56f2LSn+7NDaGVRyTkg14Nwk8vTVGWDt64oP/bre72/e2SG5XIOxXncYDnMFAx0a ypuoqfw4+glUtyHbBmI7FOtY7v+ajuSttVWBxGlkDTAOYDNgW70fKmbHSrK5VxKqnoyimA43git +pIxlGjrTFk0/xjmsuapDYtopxBc7Xrbc0x8vAODS34tFIfXlH3tzi+n7GRhLWS8AT8aDHzCNsX 8ialNHSYGtslBFd0/w== X-Google-Smtp-Source: AGHT+IEmdP3UW7xMzXGnlVwWX4qV9dVOE+jesh4+I3sTEvF2Yclc9ImJpOxw85V94mFmIc3hh/NnGw== X-Received: by 2002:a05:6a00:3e0e:b0:730:7600:aeab with SMTP id d2e1a72fcca58-73426ce7678mr24388975b3a.13.1740493837827; Tue, 25 Feb 2025 06:30:37 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:37 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 21/22] ffmpeg: fix CVE-2025-25473 Date: Tue, 25 Feb 2025 06:29:56 -0800 Message-ID: <599ee3f195bc66d57797c121fa0b73a901d6edfa.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211906 From: Archana Polampalli FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-25473.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch new file mode 100644 index 0000000000..c9527751b5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch @@ -0,0 +1,36 @@ +From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Fri, 17 Jan 2025 00:05:31 -0300 +Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue + when closing a muxer + +packet_buffer is used in mux.c, and if a muxing process fails at a point where +packets remained in said queue, they will leak. + +Fixes ticket #11419 + +Signed-off-by: James Almer + +CVE: CVE-2025-25473 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/c08d300481b8ebb846cd43a473988fdbc6793d1b] + +Signed-off-by: Archana Polampalli +--- + libavformat/utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavformat/utils.c b/libavformat/utils.c +index cee86ae..fe458dd 100644 +--- a/libavformat/utils.c ++++ b/libavformat/utils.c +@@ -724,6 +724,7 @@ void avformat_free_context(AVFormatContext *s) + av_dict_free(&si->id3v2_meta); + av_packet_free(&si->pkt); + av_packet_free(&si->parse_pkt); ++ avpriv_packet_list_free(&si->packet_buffer); + av_freep(&s->streams); + ff_flush_packet_queue(s); + av_freep(&s->url); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 2173105fd3..4b99c0fa21 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -50,6 +50,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36618.patch \ file://CVE-2024-28661.patch \ file://CVE-2024-35369.patch \ + file://CVE-2025-25473.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 25 14:29:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57840 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A114C021BC for ; Tue, 25 Feb 2025 14:30:42 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.9046.1740493839979437428 for ; Tue, 25 Feb 2025 06:30:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2KjfjOBp; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-220bfdfb3f4so13956245ad.2 for ; Tue, 25 Feb 2025 06:30:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740493839; x=1741098639; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ef6vvRjMWdqPIXNP9V4+maCc2GWlsx2j49kJGJFbL7w=; b=2KjfjOBpHcjXrOB0uIIrUGLYzJZHNd6lfj/mT08X3zSWGNkEHlTiXiairvn5jq34QY VIgnk/56AEqCdTI16zXwczflu3kqBZLcGkbcvDOGIo+d5/Fiv1vvqLb574xxlvHsSw1h ARoNVAFjgaDfMYKuRnNuRA38pZAoOkcD1dKncnDbnArthQqoK7DLaE9pQpsyzKPFV++B 0iyKu9FJlpB2f0BSCKP4hDL3HPagCoICHqwKQvcBTopSK1U+kREAn8ShxdVP3clJoilQ Tn9Z8TBohxdfLRxSBID8/5q+wH3qqGBf+CrX8R1etvEyTDOULaGTAGhtp3zQXVRzfzA0 xg7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740493839; x=1741098639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ef6vvRjMWdqPIXNP9V4+maCc2GWlsx2j49kJGJFbL7w=; b=K0dpYX6cdQGi07nBQ8nI7XGpbnPaEdYd0ILD+ytoCAs6Otse48sKwmMi5a4ijmfCCA ehMg9jrbeYs8jVyxQ0NoqmyRTMnxuOBqE5F1z9hRfgedqPhRbeoZZ9z6qN2sms/f6vrV 0iMR/Bx32d5mpIUrw1LIDDyGeOpPqW6e6rMmSFpBgBnvCQXFMH3QkgheE7DGY6Fp2Q0d juNizNgB+pSGkuW2xoFkBbsPqVzCto4idBu7m2BEz2FE8xIhIDH3hgdwEgBtJFbzqVwG x8uKbO0JrGo7aL0O5kuLFqMbckuu4cJjaHNwmLnJDAfFNVaWjImP/yZ3x3xpDS+a0AWx QpHg== X-Gm-Message-State: AOJu0YwVIWgrfhovTQ34N/RFn8u6HiVzKLkvU8ZoakR8KXbkNNmb/wvi ZDlv3U4XJ7HSF3svs4DeRrwhGXeTG3V7VIOCnRW5X/9rrqynDUMWYxX0m95P2QgzyrhL/CYUyoa f X-Gm-Gg: ASbGnct0KuvUB4w7btOHdaqzwXJvRIz8U+BbRkWBHBl1hJNsEPgJlp6TbE2uFvFgdzM VxbWSBLAFRoP4l7bwSVmR4N9wPqLVJYSkI59fHa+gZfEzXf1WrJSAp9qnIJKUaL2lZHqSd0VeLQ kmGHMFX3QCKkCsVEQtQT/EGG8ts0xKxbzb5VW1xoe7EoS29wcVYyQzeGHlX91RCYM5zqLDUq1jU daKAd1Ql/vRIHA2kCUEfqbPoaTsdbspXy91FZZKWfDmRKEF1kk1Feb3yESojQRELYNx6uCVrCUW DdeMt5um9mUTb97ABA== X-Google-Smtp-Source: AGHT+IGmOmH5oBG6jcTH8NJeqZYLjIj/tpRQBMqx4eo/Hn3FIo274zp3Vml/AvsIebbkPhD9UNJhAQ== X-Received: by 2002:a17:902:da88:b0:21f:164d:93fe with SMTP id d9443c01a7336-221a000aa36mr312506985ad.53.1740493839267; Tue, 25 Feb 2025 06:30:39 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7347a81ed10sm1535650b3a.129.2025.02.25.06.30.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 06:30:38 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 22/22] vim: Upgrade 9.1.0764 -> 9.1.1043 Date: Tue, 25 Feb 2025 06:29:57 -0800 Message-ID: <73b5570a16708d1e749b1ec525299d10557cbf56.1740493685.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Feb 2025 14:30:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211907 From: Divya Chellam This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014 Changes between 9.1.0764 -> 9.1.1043 ==================================== https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 582eddcb9d..4ac9c58c80 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".0764" -SRCREV = "51b62387be93c65fa56bbabe1c3c1ea5df187641" +PV .= ".1043" +SRCREV = "9d1bed5eccdbb46a26b8a484f5e9163c40e63919" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"