fix CVE-2022-30767
This commit is contained in:
zhouwenpei
parent
9677e4ac24
commit
b133219584
44
backport-CVE-2022-30767.patch
Normal file
44
backport-CVE-2022-30767.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Mon Sep 17 00:00:00 2001
|
||||
From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
|
||||
Date: Wed, 18 May 2022 16:30:08 +0000
|
||||
Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
|
||||
|
||||
This patch mitigates the vulnerability identified via CVE-2019-14196.
|
||||
|
||||
The previous patch was bypassed/ineffective, and now the vulnerability
|
||||
is identified via CVE-2022-30767. The patch removes the sanity check
|
||||
introduced to mitigate CVE-2019-14196 since it's ineffective.
|
||||
filefh3_length is changed to unsigned type integer, preventing negative
|
||||
numbers from being used during comparison with positive values during
|
||||
size sanity checks.
|
||||
|
||||
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
|
||||
---
|
||||
net/nfs.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/nfs.c b/net/nfs.c
|
||||
index 3c01cebd96..9152ab742e 100644
|
||||
--- a/net/nfs.c
|
||||
+++ b/net/nfs.c
|
||||
@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
|
||||
|
||||
static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
|
||||
static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
|
||||
-static int filefh3_length; /* (variable) length of filefh when NFSv3 */
|
||||
+static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
|
||||
|
||||
static enum net_loop_state nfs_download_state;
|
||||
static struct in_addr nfs_server_ip;
|
||||
@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
|
||||
filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
|
||||
if (filefh3_length > NFS3_FHSIZE)
|
||||
filefh3_length = NFS3_FHSIZE;
|
||||
- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
|
||||
- return -NFS_RPC_DROP;
|
||||
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
|
||||
}
|
||||
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: uboot-tools
|
||||
Version: 2021.10
|
||||
Release: 6
|
||||
Release: 7
|
||||
Summary: tools for U-Boot
|
||||
License: GPL-2.0-or-later and Public Domain and GPL-2.0-only
|
||||
URL: http://www.denx.de/wiki/U-Boot
|
||||
@ -21,6 +21,7 @@ Patch6001: backport-AllWinner-PineTab.patch
|
||||
Patch6002: backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch
|
||||
Patch6003: backport-CVE-2022-34835.patch
|
||||
Patch6004: backport-CVE-2022-33967.patch
|
||||
Patch6005: backport-CVE-2022-30767.patch
|
||||
|
||||
BuildRequires: bc dtc gcc make flex bison git-core openssl-devel
|
||||
BuildRequires: python3-unversioned-command python3-devel python3-setuptools
|
||||
@ -244,6 +245,9 @@ cp -p board/warp7/README builds/docs/README.warp7
|
||||
%{_mandir}/man1/mkimage.1*
|
||||
|
||||
%changelog
|
||||
* Wed Sep 28 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021.10-7
|
||||
- fix CVE-2022-30767
|
||||
|
||||
* Wed Jul 20 2022 cenhuilin <cenhuilin@kylinos.cn> - 2021.10-6
|
||||
- fix CVE-2022-33967
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user