Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP1
ipmitool.14091
fru-Fix-buffer-overflow-vulnerabilities.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fru-Fix-buffer-overflow-vulnerabilities.patch of Package ipmitool.14091
From: Chrostoper Ertl <chertl@microsoft.com> Subject: fru: Fix buffer overflow vulnerabilities References: bsc#1163026, CVE-2020-5208 Patch-Mainline: Git-commit: e824c23316ae50beb7f7488f2055ac65e8b341f2 Git-repo: https://github.com/ipmitool/ipmitool.git.git Partial fix for CVE-2020-5208, see https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp The `read_fru_area_section` function only performs size validation of requested read size, and falsely assumes that the IPMI message will not respond with more than the requested amount of data; it uses the unvalidated response size to copy into `frubuf`. If the response is larger than the request, this can result in overflowing the buffer. The same issue affects the `read_fru_area` function. Signed-off-by: <trenn@suse.com> --- lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) --- a/lib/ipmi_fru.c +++ b/lib/ipmi_fru.c @@ -616,7 +616,10 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, uint32_t offset, uint32_t length, uint8_t *frubuf) { - uint32_t off = offset, tmp, finish; + uint32_t off = offset; + uint32_t tmp; + uint32_t finish; + uint32_t size_left_in_buffer; struct ipmi_rs * rsp; struct ipmi_rq req; uint8_t msg_data[4]; @@ -629,10 +632,12 @@ finish = offset + length; if (finish > fru->size) { + memset(frubuf + fru->size, 0, length - fru->size); finish = fru->size; lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " "Adjusting to %d", offset + length, finish - offset); + length = finish - offset; } memset(&req, 0, sizeof(req)); @@ -668,6 +673,7 @@ } } + size_left_in_buffer = length; do { tmp = fru->access ? off >> 1 : off; msg_data[0] = id; @@ -708,9 +714,18 @@ } tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; + if(rsp->data_len < 1 + || tmp > rsp->data_len - 1 + || tmp > size_left_in_buffer) + { + printf(" Not enough buffer size"); + return -1; + } + memcpy(frubuf, rsp->data + 1, tmp); off += tmp; frubuf += tmp; + size_left_in_buffer -= tmp; /* sometimes the size returned in the Info command * is too large. return 0 so higher level function * still attempts to parse what was returned */ @@ -743,7 +758,9 @@ uint32_t offset, uint32_t length, uint8_t *frubuf) { static uint32_t fru_data_rqst_size = 20; - uint32_t off = offset, tmp, finish; + uint32_t off = offset; + uint32_t tmp, finish; + uint32_t size_left_in_buffer; struct ipmi_rs * rsp; struct ipmi_rq req; uint8_t msg_data[4]; @@ -756,10 +773,12 @@ finish = offset + length; if (finish > fru->size) { + memset(frubuf + fru->size, 0, length - fru->size); finish = fru->size; lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " "Adjusting to %d", offset + length, finish - offset); + length = finish - offset; } memset(&req, 0, sizeof(req)); @@ -774,6 +793,8 @@ if (fru->access && fru_data_rqst_size > 16) #endif fru_data_rqst_size = 16; + + size_left_in_buffer = length; do { tmp = fru->access ? off >> 1 : off; msg_data[0] = id; @@ -805,8 +826,16 @@ } tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; + if(rsp->data_len < 1 + || tmp > rsp->data_len - 1 + || tmp > size_left_in_buffer) + { + printf(" Not enough buffer size"); + return -1; + } memcpy((frubuf + off)-offset, rsp->data + 1, tmp); off += tmp; + size_left_in_buffer -= tmp; /* sometimes the size returned in the Info command * is too large. return 0 so higher level function
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
