From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3F78BC433EF for ; Sat, 4 Jun 2022 17:44:28 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6A968836B4; Sat, 4 Jun 2022 19:44:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="JmE/XlKc"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EE1628334F; Sat, 4 Jun 2022 19:44:23 +0200 (CEST) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 340968334F for ; Sat, 4 Jun 2022 19:44:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1654364660; bh=5VANryyL86KbxvfQSx02Z3EaFjz/9kRT38t1dH/7Juo=; h=X-UI-Sender-Class:Date:Subject:To:References:From:Cc:In-Reply-To; b=JmE/XlKcFKM6pR5fzpS8+kKqjKMF+G8rL2/6qF9p5CwX0uWOpzmegZ3Yamv61a7CM RrbA0eTP+VRsJ9/SwlB5Zj2Vj1LXv0HocwUM9TpMT8QMYguaNsrEq7f3TXZLZc6qqk G1AO+pQ74wOPMmmfwn3uGZu9RfdjS91l8nJl6otQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.123.94] ([62.143.94.109]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MOzOm-1o9gsq0ytQ-00PNaP; Sat, 04 Jun 2022 19:44:20 +0200 Message-ID: Date: Sat, 4 Jun 2022 19:44:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: [PATCH 1/1] CVE-2022-30767: unbounded memcpy with a failed length check Content-Language: en-US To: gerbert References: From: Heinrich Schuchardt Cc: u-boot@lists.denx.de In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:m3VdqTPoEDzRPt0SKshyK6RmIMZgFmQu8cFQ+sn+sf1WhG9zOj5 gawIZSz3zXPB4IbJUoLAIHzolwXurqwIHGmvAfapOSCvsjwHzry8SQTG2gfH3zNXdzOVc3H lLcVVUegVUbKUOvonLr2rsywKI9rAnOWGdeo1yNuh1Q6raHbMx7XUtUvDqGT/SBGI1a7OfM 5VdIzHuJMM4LT62GwHOzw== X-UI-Out-Filterresults: notjunk:1;V03:K0:yshqJpugEio=:H4L6zfnoP4fi6ep71WAXt4 bHD0nfPPIgPkREYhaNE2FcYkPIcAVPekxv2V+SC9ywmMxtD8LuigcOfznlXw7PWdxW3RcvIVj qtZZv4qk/WLS+o7Md0aqKtm/tKQgye+7jmTjQYvrUAjSY4FGMq+Q3OyiTZIGoN1vY5HsaMGjW fO5UJPhpyIglTtqbLYxWvyLpN+LNlt019KZVVflGtBCQFHwHAb2H+OvIHv8TpRGrpz8ZauwKR LwuzuMv7m1jTCtwkQfzZOP5hPHAcjwHe2EvS7tjOXMEesYAaTpMqoAYj+B9cVBoe7+AGgQnq9 fHjCZS2rcWSQTe504sHVDPo8fLAf6/Gq73MU/tsZ9WUrEcyD38o3qgWX2Z5osizAWG1FULHpT GUzfbSj6PpR8Q9vQVu1PQP4LAfztsOXprpJMTOMRy46SKlv4zbdOcqxd5bsikN8UoVZuEHB5Y Nvcc4IVME3XvWsZkaYRM1mjO1Ny0uuGr+cKpuj9ZS0L3HzzW+9q8xm6f5BllQfepq1sZBRWKM r4B//U9SQRxb8jOWFZiCoQ2Iy0Jmwid+/oM2We/GEUM0RDzKR05FfbhuQowdG71ofUYc1PlCt cseOA57UaU9IrCqDkxnQr8F37bySERO5DI3xtXZQZ7IlaCSgajLBd+RFEddYqKHq/WOW0olu3 cdwZ6ifQl+7kbQvqzFnbi1b5+e/Onv0a+ZyFwcz9cgrvRhSUhYOjJOvoCPHtULpd/spcDKM0k weiY6CFbSrCUE20dl+gvwfdipB/F9jL3TbgVj43hYUt78u3NKFZX4mEVfnRB3IH+adBaH6mPd vi5FCHzp62I4NnOlr4YMYblUPNrDxxJSDG5CSD+AsipHBVDsPJEEo8w22/IOOCHRFzO6/Ikt/ BLY75AKLsv6VvC9TaWx8moTnvCMyY7WWVzUrF8AvqWaXnm6Luy7ZRRuVvTJjOU149VCoJeEQq 6TZR61wujs3gYLbz/8K0hZmCwihgGj9wudwwpZJ3CRZqPYXzslwVtRZUA6XalOCfZpOnfpkQw UqxaUcUoDOnt1CpBzfQRVOKwA8Mjp2F4ExSHl/ZhoCEbLz0nFGHynRPITsW0q3K/2+izd9VE+ ef0U9n5Ga/pTH9ybPVI9aypkVt1nYUbTUicKOYQj8r5iMRLHtp5gPUtbw== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On 6/2/22 20:32, gerbert wrote: > This patch tries to fix a CVE-2019-14196 fix > > =C2=A0 In if-condition, where NFSV2_FLAG is checked, memcpy call is per= formed > to transfer a reply data of NFS_FHSIZE size. Since the data field in > struct rpc_t structure has the size of (1024 / 4) + 26 =3D 282, while > NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering > the size of data array won't change in the future). > > =C2=A0 What concerns if-condition for NFSV3_FLAG, since filefh3_length = is > signed integer, it may carry negative values which may lead to memcpy > failure, so in this case we need to introduce not only boundary check > (filefh3_length > NFS3_FHSIZE), which exists, but also make sure that > filefh3_length is not negative. > > Signed-off-by: gerbert > --- > =C2=A0net/nfs.c | 6 +++--- > =C2=A01 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/net/nfs.c b/net/nfs.c > index 9152ab742e..5186130ea9 100644 > --- a/net/nfs.c > +++ b/net/nfs.c > @@ -566,13 +566,13 @@ static int nfs_lookup_reply(uchar *pkt, unsigned l= en) > =C2=A0=C2=A0=C2=A0=C2=A0 } > > =C2=A0=C2=A0=C2=A0=C2=A0 if (supported_nfs_versions & NFSV2_FLAG) { > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (((uchar *)&(rpc_pkt.u.re= ply.data[0]) - (uchar *)(&rpc_pkt) > + NFS_FHSIZE) > len) > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 retu= rn -NFS_RPC_DROP; > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(filefh, rpc_pkt= .u.reply.data + 1, NFS_FHSIZE); > =C2=A0=C2=A0=C2=A0=C2=A0 } else {=C2=A0 /* NFSV3_FLAG */ > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 filefh3_length =3D nto= hl(rpc_pkt.u.reply.data[1]); > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (filefh3_length < 0) This is the definition: static unsigned int filefh3_length The value cannot be negative. Cf. bdbf7a05e26f3c5 ("net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)") > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 retu= rn -NFS_RPC_DROP; > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (filefh3_length > N= FS3_FHSIZE) > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 file= fh3_length=C2=A0 =3D NFS3_FHSIZE; > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 file= fh3_length =3D NFS3_FHSIZE; This seems to be an unrelated change. Best regards Heinrich > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(filefh, rpc_pkt= .u.reply.data + 2, filefh3_length); > =C2=A0=C2=A0=C2=A0=C2=A0 } >