* [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet
@ 2019-08-21 14:48 Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 2/5] CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions Cheng Liu
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Cheng Liu @ 2019-08-21 14:48 UTC (permalink / raw)
To: u-boot
CVE: net: fix unbounded memcpy of UDP packet
This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/net.c b/net/net.c
index 40511db..68f9693 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
return;
}
+ if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+ return;
+
debug_cond(DEBUG_DEV_PKT,
"received UDP (to=%pI4, from=%pI4, len=%d)\n",
&dst_ip, &src_ip, len);
--
1.8.5.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [U-Boot] [PATCH 2/5] CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions
2019-08-21 14:48 [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Cheng Liu
@ 2019-08-21 14:48 ` Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 3/5] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check at nfs_read_reply Cheng Liu
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Cheng Liu @ 2019-08-21 14:48 UTC (permalink / raw)
To: u-boot
CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions
This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index d6a7f8e..b7cf3b3 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip,
debug("%s\n", __func__);
+ if (len > sizeof(struct rpc_t))
+ return;
+
if (dest != nfs_our_port)
return;
--
1.8.5.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [U-Boot] [PATCH 3/5] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check at nfs_read_reply
2019-08-21 14:48 [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 2/5] CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions Cheng Liu
@ 2019-08-21 14:48 ` Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply Cheng Liu
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Cheng Liu @ 2019-08-21 14:48 UTC (permalink / raw)
To: u-boot
CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check at nfs_read_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index b7cf3b3..11941fa 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len)
&(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
}
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -9999;
+
if (store_block(data_ptr, nfs_offset, rlen))
return -9999;
--
1.8.5.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [U-Boot] [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
2019-08-21 14:48 [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 2/5] CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 3/5] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check at nfs_read_reply Cheng Liu
@ 2019-08-21 14:48 ` Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 5/5] CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check at nfs_lookup_reply Cheng Liu
2019-08-21 19:29 ` [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Simon Goldschmidt
4 siblings, 0 replies; 6+ messages in thread
From: Cheng Liu @ 2019-08-21 14:48 UTC (permalink / raw)
To: u-boot
CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index 11941fa..915acd9 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
/* new path length */
rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -NFS_RPC_DROP;
+
if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
int pathlen;
--
1.8.5.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [U-Boot] [PATCH 5/5] CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check at nfs_lookup_reply
2019-08-21 14:48 [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Cheng Liu
` (2 preceding siblings ...)
2019-08-21 14:48 ` [U-Boot] [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply Cheng Liu
@ 2019-08-21 14:48 ` Cheng Liu
2019-08-21 19:29 ` [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Simon Goldschmidt
4 siblings, 0 replies; 6+ messages in thread
From: Cheng Liu @ 2019-08-21 14:48 UTC (permalink / raw)
To: u-boot
CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check at nfs_lookup_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/nfs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index 915acd9..89952ae 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
}
if (supported_nfs_versions & NFSV2_FLAG) {
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len)
+ return -NFS_RPC_DROP;
memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
} else { /* NFSV3_FLAG */
filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
if (filefh3_length > NFS3_FHSIZE)
filefh3_length = NFS3_FHSIZE;
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
+ return -NFS_RPC_DROP;
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
}
--
1.8.5.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet
2019-08-21 14:48 [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Cheng Liu
` (3 preceding siblings ...)
2019-08-21 14:48 ` [U-Boot] [PATCH 5/5] CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check at nfs_lookup_reply Cheng Liu
@ 2019-08-21 19:29 ` Simon Goldschmidt
4 siblings, 0 replies; 6+ messages in thread
From: Simon Goldschmidt @ 2019-08-21 19:29 UTC (permalink / raw)
To: u-boot
On Wed, Aug 21, 2019 at 8:32 PM Cheng Liu <liucheng32@huawei.com> wrote:
>
> CVE: net: fix unbounded memcpy of UDP packet
>
> This patch adds a check to udp_len to fix unbounded memcpy for
> CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
>
> Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Although being annoyed by the lack of response from Fermin nearly a
month ago, would it make sense to add:
Reported-by: FermÃn Serna <fermin@semmle.com>
Regards,
Simon
> ---
> net/net.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/net.c b/net/net.c
> index 40511db..68f9693 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
> return;
> }
>
> + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
> + return;
> +
> debug_cond(DEBUG_DEV_PKT,
> "received UDP (to=%pI4, from=%pI4, len=%d)\n",
> &dst_ip, &src_ip, len);
> --
> 1.8.5.6
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-08-21 19:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-21 14:48 [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 2/5] CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 3/5] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check at nfs_read_reply Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply Cheng Liu
2019-08-21 14:48 ` [U-Boot] [PATCH 5/5] CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check at nfs_lookup_reply Cheng Liu
2019-08-21 19:29 ` [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet Simon Goldschmidt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.