[PATCH 1/1] CVE-2022-30767: unbounded memcpy with a failed length check

gerbert gerbert at mu-ori.me
Mon Jun 6 17:10:52 CEST 2022


Tom Rini писал 2022-06-06 17:43:
> On Thu, Jun 02, 2022 at 09:18:42PM +0300, gerbert wrote:
> 
>> This patch tries to fix a CVE-2019-14196 fix
>> 
>>   In if-condition, where NFSV2_FLAG is checked, memcpy call is 
>> performed
>> to transfer a reply data of NFS_FHSIZE size. Since the data field in
>> struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while
>> NFS_FHSIZE is only 32, it won't lead to out-of-bounds write 
>> (considering
>> the size of data array won't change in the future).
>> 
>>   What concerns if-condition for NFSV3_FLAG, since filefh3_length is
>> signed integer, it may carry negative values which may lead to memcpy
>> failure, so in this case we need to introduce not only boundary check
>> (filefh3_length > NFS3_FHSIZE), which exists, but also make sure that
>> filefh3_length is not negative.
>> 
>> Signed-off-by: gerbert <gerbert at users.noreply.github.com>
> 
> This has been addressed as:
> https://patchwork.ozlabs.org/project/uboot/patch/20220518163103.372-1-zi0Black@protonmail.com/
> and more clearly:
> https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80
> recently, thanks.
That's right. But as far as I can see if-condition for NFS v2 has the 
same leftover,
which was removed from v3 part. In this case I guess it can be removed.

Kind regards,
Gerbert


More information about the U-Boot mailing list