From fc092cfa1dbd409310c73eadee93519db8647934 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 3 Jan 2021 09:23:38 +0100 Subject: New d/p/0505-fix_CVE-2020-5208.patch --- debian/patches/0505-fix_CVE-2020-5208.patch | 114 ++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 debian/patches/0505-fix_CVE-2020-5208.patch (limited to 'debian/patches/0505-fix_CVE-2020-5208.patch') diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch new file mode 100644 index 0000000..5b76b32 --- /dev/null +++ b/debian/patches/0505-fix_CVE-2020-5208.patch @@ -0,0 +1,114 @@ +Description: Fix CVE-2020-5208 +Origin: backport from https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 +Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761 +Forwarded: not-needed +Last-Update: 2021-01-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/lib/ipmi_fru.c +=================================================================== +--- trunk.orig/lib/ipmi_fru.c ++++ trunk/lib/ipmi_fru.c +@@ -615,7 +615,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, s + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, s + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, s + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function -- cgit v1.2.3 From 71ae773266e284bbccc10deb4e969284d7c8b7da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Mon, 4 Jan 2021 07:12:30 +0100 Subject: More work on CVE-2020-5208 --- debian/patches/0505-fix_CVE-2020-5208.patch | 187 +++++++++++++++++++++++++++- 1 file changed, 186 insertions(+), 1 deletion(-) (limited to 'debian/patches/0505-fix_CVE-2020-5208.patch') diff --git a/debian/patches/0505-fix_CVE-2020-5208.patch b/debian/patches/0505-fix_CVE-2020-5208.patch index 5b76b32..1295180 100644 --- a/debian/patches/0505-fix_CVE-2020-5208.patch +++ b/debian/patches/0505-fix_CVE-2020-5208.patch @@ -1,5 +1,11 @@ Description: Fix CVE-2020-5208 -Origin: backport from https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 +Origin: backport from + https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2 + https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10 + https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 + https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 + https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10 + https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 Bug: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950761 Forwarded: not-needed @@ -112,3 +118,182 @@ Index: trunk/lib/ipmi_fru.c /* sometimes the size returned in the Info command * is too large. return 0 so higher level function +@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, + return 0; + + memset(desc, 0, sizeof(desc)); +- memcpy(desc, fru->id_string, fru->id_code & 0x01f); ++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); + desc[fru->id_code & 0x01f] = 0; + printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); + +Index: trunk/lib/ipmi_sdr.c +=================================================================== +--- trunk.orig/lib/ipmi_sdr.c ++++ trunk/lib/ipmi_sdr.c +@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct i + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); + + if (verbose) { + printf("Sensor ID : %s (0x%x)\n", +@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); + + if (verbose == 0) { + if (csv_output) +@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(st + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); + + if (!verbose) { + if (csv_output) +@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); + + if (!verbose) { + if (csv_output) +@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct + + int rc =0; + char desc[17]; ++ const char *id_string; ++ uint8_t id_code; + memset(desc, ' ', sizeof (desc)); + + switch ( type) { + case SDR_RECORD_TYPE_FULL_SENSOR: + record.full = (struct sdr_record_full_sensor *) raw; +- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", +- (const char *)record.full->id_string); ++ id_code = record.full->id_code; ++ id_string = record.full->id_string; + break; ++ + case SDR_RECORD_TYPE_COMPACT_SENSOR: + record.compact = (struct sdr_record_compact_sensor *) raw ; +- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", +- (const char *)record.compact->id_string); ++ id_code = record.compact->id_code; ++ id_string = record.compact->id_string; + break; ++ + case SDR_RECORD_TYPE_EVENTONLY_SENSOR: + record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; +- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", +- (const char *)record.eventonly->id_string); +- break; ++ id_code = record.eventonly->id_code; ++ id_string = record.eventonly->id_string; ++ break; ++ + case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: + record.mcloc = (struct sdr_record_mc_locator *) raw ; +- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", +- (const char *)record.mcloc->id_string); ++ id_code = record.mcloc->id_code; ++ id_string = record.mcloc->id_string; + break; ++ + default: + rc = -1; +- break; +- } ++ } ++ if (!rc) { ++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); ++ } + +- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); ++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); + return rc; + } + +Index: trunk/lib/ipmi_channel.c +=================================================================== +--- trunk.orig/lib/ipmi_channel.c ++++ trunk/lib/ipmi_channel.c +@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ip + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +Index: trunk/lib/ipmi_session.c +=================================================================== +--- trunk.orig/lib/ipmi_session.c ++++ trunk/lib/ipmi_session.c +@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf + } + else + { +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } + break; + +@@ -341,9 +343,10 @@ ipmi_get_session_info(struct ipmi_intf + break; + } + +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); +- ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } while (i <= session_info.session_slot_count); + break; + } +Index: trunk/lib/dimm_spd.c +=================================================================== +--- trunk.orig/lib/dimm_spd.c ++++ trunk/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * in + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * in + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); -- cgit v1.2.3