From: gerbert <gerbert@mu-ori.me>
To: u-boot@lists.denx.de
Subject: [PATCH 1/1] CVE-2022-30767: unbounded memcpy with a failed length check
Date: Thu, 02 Jun 2022 21:18:42 +0300 [thread overview]
Message-ID: <6d19481182a3816a5e6908f313a466a9@mu-ori.me> (raw)
This patch tries to fix a CVE-2019-14196 fix
In if-condition, where NFSV2_FLAG is checked, memcpy call is performed
to transfer a reply data of NFS_FHSIZE size. Since the data field in
struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while
NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering
the size of data array won't change in the future).
What concerns if-condition for NFSV3_FLAG, since filefh3_length is
signed integer, it may carry negative values which may lead to memcpy
failure, so in this case we need to introduce not only boundary check
(filefh3_length > NFS3_FHSIZE), which exists, but also make sure that
filefh3_length is not negative.
Signed-off-by: gerbert <gerbert@users.noreply.github.com>
---
net/nfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/nfs.c b/net/nfs.c
index 9152ab742e..5186130ea9 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -566,13 +566,13 @@ static int nfs_lookup_reply(uchar *pkt, unsigned
len)
}
if (supported_nfs_versions & NFSV2_FLAG) {
- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) +
NFS_FHSIZE) > len)
- return -NFS_RPC_DROP;
memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
} else { /* NFSV3_FLAG */
filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+ if (filefh3_length < 0)
+ return -NFS_RPC_DROP;
if (filefh3_length > NFS3_FHSIZE)
- filefh3_length = NFS3_FHSIZE;
+ filefh3_length = NFS3_FHSIZE;
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
}
--
2.32.0
next reply other threads:[~2022-06-03 11:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-02 18:18 gerbert [this message]
2022-06-06 14:43 ` [PATCH 1/1] CVE-2022-30767: unbounded memcpy with a failed length check Tom Rini
2022-06-06 15:10 ` gerbert
2022-06-02 18:32 gerbert
2022-06-04 17:44 ` Heinrich Schuchardt
2022-06-04 18:07 ` gerbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d19481182a3816a5e6908f313a466a9@mu-ori.me \
--to=gerbert@mu-ori.me \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.