Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 1 | From 24aed93efb30a8f557aedc2f03b6ccec758ccbf4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Chrostoper Ertl <chertl@microsoft.com> |
| 3 | Date: Thu, 28 Nov 2019 16:44:18 +0000 |
| 4 | Subject: [PATCH 1/5] fru: Fix buffer overflow in ipmi_spd_print_fru |
| 5 | |
| 6 | Partial fix for CVE-2020-5208, see |
| 7 | https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp |
| 8 | |
| 9 | The `ipmi_spd_print_fru` function has a similar issue as the one fixed |
| 10 | by the previous commit in `read_fru_area_section`. An initial request is |
| 11 | made to get the `fru.size`, which is used as the size for the allocation |
| 12 | of `spd_data`. Inside a loop, further requests are performed to get the |
| 13 | copy sizes which are not checked before being used as the size for a |
| 14 | copy into the buffer. |
| 15 | |
| 16 | Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10] |
| 17 | CVE: CVE-2020-5208 |
| 18 | |
| 19 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> |
| 20 | --- |
| 21 | lib/dimm_spd.c | 9 ++++++++- |
| 22 | 1 file changed, 8 insertions(+), 1 deletion(-) |
| 23 | |
| 24 | diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c |
| 25 | index 91ae117..4c9c21d 100644 |
| 26 | --- a/lib/dimm_spd.c |
| 27 | +++ b/lib/dimm_spd.c |
| 28 | @@ -1014,7 +1014,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) |
| 29 | struct ipmi_rq req; |
| 30 | struct fru_info fru; |
| 31 | uint8_t *spd_data, msg_data[4]; |
| 32 | - int len, offset; |
| 33 | + uint32_t len, offset; |
| 34 | |
| 35 | msg_data[0] = id; |
| 36 | |
| 37 | @@ -1091,6 +1091,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) |
| 38 | } |
| 39 | |
| 40 | len = rsp->data[0]; |
| 41 | + if(rsp->data_len < 1 |
| 42 | + || len > rsp->data_len - 1 |
| 43 | + || len > fru.size - offset) |
| 44 | + { |
| 45 | + printf(" Not enough buffer size"); |
| 46 | + return -1; |
| 47 | + } |
| 48 | memcpy(&spd_data[offset], rsp->data + 1, len); |
| 49 | offset += len; |
| 50 | } while (offset < fru.size); |
| 51 | -- |
| 52 | 1.9.1 |
| 53 | |