From: Tom Rini <trini@konsulko.com>
To: gerbert <gerbert@mu-ori.me>
Cc: u-boot@lists.denx.de
Subject: Re: [PATCH 1/1] CVE-2022-30767: unbounded memcpy with a failed length check
Date: Mon, 6 Jun 2022 10:43:28 -0400 [thread overview]
Message-ID: <20220606144328.GT1958597@bill-the-cat> (raw)
In-Reply-To: <6d19481182a3816a5e6908f313a466a9@mu-ori.me>
[-- Attachment #1: Type: text/plain, Size: 1122 bytes --]
On Thu, Jun 02, 2022 at 09:18:42PM +0300, gerbert wrote:
> This patch tries to fix a CVE-2019-14196 fix
>
> In if-condition, where NFSV2_FLAG is checked, memcpy call is performed
> to transfer a reply data of NFS_FHSIZE size. Since the data field in
> struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while
> NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering
> the size of data array won't change in the future).
>
> What concerns if-condition for NFSV3_FLAG, since filefh3_length is
> signed integer, it may carry negative values which may lead to memcpy
> failure, so in this case we need to introduce not only boundary check
> (filefh3_length > NFS3_FHSIZE), which exists, but also make sure that
> filefh3_length is not negative.
>
> Signed-off-by: gerbert <gerbert@users.noreply.github.com>
This has been addressed as:
https://patchwork.ozlabs.org/project/uboot/patch/20220518163103.372-1-zi0Black@protonmail.com/
and more clearly:
https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80
recently, thanks.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2022-06-06 14:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-02 18:18 [PATCH 1/1] CVE-2022-30767: unbounded memcpy with a failed length check gerbert
2022-06-06 14:43 ` Tom Rini [this message]
2022-06-06 15:10 ` gerbert
2022-06-02 18:32 gerbert
2022-06-04 17:44 ` Heinrich Schuchardt
2022-06-04 18:07 ` gerbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220606144328.GT1958597@bill-the-cat \
--to=trini@konsulko.com \
--cc=gerbert@mu-ori.me \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.