MIRRORS/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2025-12-14 14:25:53 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

ipmitool: Update to 1.8.19

Browse Source 
Remove backported patches
Add a patch to fix build with clang
Add a patch to stop downloading IANA registry during configure

Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Khem Raj 2022-09-02 10:18:49 -07:00
parent a7dddae00c
commit b0d2977fb1
11 changed files with 94 additions and 749 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
meta-oe/recipes-kernel/ipmitool/ipmitool/0001-Migrate-to-openssl-1.1.patch
View File

@ -1,152 +0,0 @@
From c9dcb6afef9c343d070aaff208d11a997a45a105 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 5 Sep 2018 22:19:38 -0700
Subject: [PATCH] Migrate to openssl 1.1
Upstream-Status: Backport [https://sourceforge.net/p/ipmitool/source/ci/1664902525a1c3771b4d8b3ccab7ea1ba6b2bdd1/]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
src/plugins/lanplus/lanplus_crypt_impl.c | 50 ++++++++++++++----------
1 file changed, 29 insertions(+), 21 deletions(-)
diff --git a/src/plugins/lanplus/lanplus_crypt_impl.c b/src/plugins/lanplus/lanplus_crypt_impl.c
index d5fac37..9652a5e 100644
--- a/src/plugins/lanplus/lanplus_crypt_impl.c
+++ b/src/plugins/lanplus/lanplus_crypt_impl.c
@@ -164,11 +164,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_t * iv,
uint8_t * output,
uint32_t * bytes_written)
{
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv);
- EVP_CIPHER_CTX_set_padding(&ctx, 0);
-
+ EVP_CIPHER_CTX *ctx = NULL;
*bytes_written = 0;
@@ -182,6 +178,14 @@ lanplus_encrypt_aes_cbc_128(const uint8_t * iv,
printbuf(input, input_length, "encrypting this data");
}
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed");
+ return;
+ }
+ EVP_CIPHER_CTX_init(ctx);
+ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
+ EVP_CIPHER_CTX_set_padding(ctx, 0);
/*
* The default implementation adds a whole block of padding if the input
@@ -191,28 +195,28 @@ lanplus_encrypt_aes_cbc_128(const uint8_t * iv,
assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
- if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length))
+ if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length))
{
/* Error */
*bytes_written = 0;
- return;
}
else
{
uint32_t tmplen;
- if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen))
+ if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen))
{
+ /* Error */
*bytes_written = 0;
- return; /* Error */
}
else
{
/* Success */
*bytes_written += tmplen;
- EVP_CIPHER_CTX_cleanup(&ctx);
}
}
+ /* performs cleanup and free */
+ EVP_CIPHER_CTX_free(ctx);
}
@@ -239,11 +243,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_t * iv,
uint8_t * output,
uint32_t * bytes_written)
{
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv);
- EVP_CIPHER_CTX_set_padding(&ctx, 0);
-
+ EVP_CIPHER_CTX *ctx = NULL;
if (verbose >= 5)
{
@@ -252,12 +252,20 @@ lanplus_decrypt_aes_cbc_128(const uint8_t * iv,
printbuf(input, input_length, "decrypting this data");
}
-
*bytes_written = 0;
if (input_length == 0)
return;
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed");
+ return;
+ }
+ EVP_CIPHER_CTX_init(ctx);
+ EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
+ EVP_CIPHER_CTX_set_padding(ctx, 0);
+
/*
* The default implementation adds a whole block of padding if the input
* data is perfectly aligned. We would like to keep that from happening.
@@ -266,33 +274,33 @@ lanplus_decrypt_aes_cbc_128(const uint8_t * iv,
assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
- if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length))
+ if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length))
{
/* Error */
lprintf(LOG_DEBUG, "ERROR: decrypt update failed");
*bytes_written = 0;
- return;
}
else
{
uint32_t tmplen;
- if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen))
+ if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen))
{
+ /* Error */
char buffer[1000];
ERR_error_string(ERR_get_error(), buffer);
lprintf(LOG_DEBUG, "the ERR error %s", buffer);
lprintf(LOG_DEBUG, "ERROR: decrypt final failed");
*bytes_written = 0;
- return; /* Error */
}
else
{
/* Success */
*bytes_written += tmplen;
- EVP_CIPHER_CTX_cleanup(&ctx);
}
}
+ /* performs cleanup and free */
+ EVP_CIPHER_CTX_free(ctx);
if (verbose >= 5)
{

41
meta-oe/recipes-kernel/ipmitool/ipmitool/0001-configure-Remove-the-logic-to-download-IANA-PEN-data.patch Normal file
View File

@ -0,0 +1,41 @@
From 63d72f97bd106dd2101cd7fdac6df4f7a053d67c Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 2 Sep 2022 08:27:39 -0700
Subject: [PATCH] configure: Remove the logic to download IANA PEN database
during configure
OE will do all downloading before it starts to configure therefore this
step is moved out into bitbake recipe, so we can make it immutable build
Upstream-Status: Inappropriate [OE-Specific]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
configure.ac | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)
--- a/configure.ac
+++ b/configure.ac
@@ -56,21 +56,7 @@ if test "x$exec_prefix" = "xNONE"; then
exec_prefix="$prefix"
fi
-if test "x$WGET" = "x"; then
- if test "x$CURL" = "x"; then
- AC_MSG_WARN([** Neither wget nor curl could be found.])
- AC_MSG_WARN([** IANA PEN database will not be installed by `make install` !])
- else
- DOWNLOAD="$CURL --location --progress-bar"
- AM_CONDITIONAL([DOWNLOAD], [true])
- fi
-else
- DOWNLOAD="$WGET -c -nd -O -"
- AM_CONDITIONAL([DOWNLOAD], [true])
-fi
-
-AC_MSG_WARN([** Download is:])
-AC_MSG_WARN($DOWNLOAD)
+AM_CONDITIONAL([DOWNLOAD], [false])
AC_SUBST(DOWNLOAD, $DOWNLOAD)
dnl

53
meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
View File

@ -1,53 +0,0 @@
From 24aed93efb30a8f557aedc2f03b6ccec758ccbf4 Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 16:44:18 +0000
Subject: [PATCH 1/5] fru: Fix buffer overflow in ipmi_spd_print_fru
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `ipmi_spd_print_fru` function has a similar issue as the one fixed
by the previous commit in `read_fru_area_section`. An initial request is
made to get the `fru.size`, which is used as the size for the allocation
of `spd_data`. Inside a loop, further requests are performed to get the
copy sizes which are not checked before being used as the size for a
copy into the buffer.
Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10]
CVE: CVE-2020-5208
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
lib/dimm_spd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
index 91ae117..4c9c21d 100644
--- a/lib/dimm_spd.c
+++ b/lib/dimm_spd.c
@@ -1014,7 +1014,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
struct ipmi_rq req;
struct fru_info fru;
uint8_t *spd_data, msg_data[4];
- int len, offset;
+ uint32_t len, offset;
msg_data[0] = id;
@@ -1091,6 +1091,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
}
len = rsp->data[0];
+ if(rsp->data_len < 1
+ || len > rsp->data_len - 1
+ || len > fru.size - offset)
+ {
+ printf(" Not enough buffer size");
+ return -1;
+ }
memcpy(&spd_data[offset], rsp->data + 1, len);
offset += len;
} while (offset < fru.size);
--
1.9.1

133
meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
View File

@ -1,133 +0,0 @@
From e824c23316ae50beb7f7488f2055ac65e8b341f2 Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 16:33:59 +0000
Subject: [PATCH] fru: Fix buffer overflow vulnerabilities
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `read_fru_area_section` function only performs size validation of
requested read size, and falsely assumes that the IPMI message will not
respond with more than the requested amount of data; it uses the
unvalidated response size to copy into `frubuf`. If the response is
larger than the request, this can result in overflowing the buffer.
The same issue affects the `read_fru_area` function.
Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
CVE: CVE-2020-5208
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
index c2a139d..2e323ff 100644
--- a/lib/ipmi_fru.c
+++ b/lib/ipmi_fru.c
@@ -663,7 +663,10 @@ int
read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
uint32_t offset, uint32_t length, uint8_t *frubuf)
{
- uint32_t off = offset, tmp, finish;
+ uint32_t off = offset;
+ uint32_t tmp;
+ uint32_t finish;
+ uint32_t size_left_in_buffer;
struct ipmi_rs * rsp;
struct ipmi_rq req;
uint8_t msg_data[4];
@@ -676,10 +679,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
finish = offset + length;
if (finish > fru->size) {
+ memset(frubuf + fru->size, 0, length - fru->size);
finish = fru->size;
lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
"Adjusting to %d",
offset + length, finish - offset);
+ length = finish - offset;
}
memset(&req, 0, sizeof(req));
@@ -715,6 +720,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
}
+ size_left_in_buffer = length;
do {
tmp = fru->access ? off >> 1 : off;
msg_data[0] = id;
@@ -756,9 +762,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
+ if(rsp->data_len < 1
+ || tmp > rsp->data_len - 1
+ || tmp > size_left_in_buffer)
+ {
+ printf(" Not enough buffer size");
+ return -1;
+ }
+
memcpy(frubuf, rsp->data + 1, tmp);
off += tmp;
frubuf += tmp;
+ size_left_in_buffer -= tmp;
/* sometimes the size returned in the Info command
* is too large. return 0 so higher level function
* still attempts to parse what was returned */
@@ -791,7 +806,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
uint32_t offset, uint32_t length, uint8_t *frubuf)
{
static uint32_t fru_data_rqst_size = 20;
- uint32_t off = offset, tmp, finish;
+ uint32_t off = offset;
+ uint32_t tmp, finish;
+ uint32_t size_left_in_buffer;
struct ipmi_rs * rsp;
struct ipmi_rq req;
uint8_t msg_data[4];
@@ -804,10 +821,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
finish = offset + length;
if (finish > fru->size) {
+ memset(frubuf + fru->size, 0, length - fru->size);
finish = fru->size;
lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
"Adjusting to %d",
offset + length, finish - offset);
+ length = finish - offset;
}
memset(&req, 0, sizeof(req));
@@ -822,6 +841,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
if (fru->access && fru_data_rqst_size > 16)
#endif
fru_data_rqst_size = 16;
+
+ size_left_in_buffer = length;
do {
tmp = fru->access ? off >> 1 : off;
msg_data[0] = id;
@@ -853,8 +874,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
+ if(rsp->data_len < 1
+ || tmp > rsp->data_len - 1
+ || tmp > size_left_in_buffer)
+ {
+ printf(" Not enough buffer size");
+ return -1;
+ }
memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
off += tmp;
+ size_left_in_buffer -= tmp;
/* sometimes the size returned in the Info command
* is too large. return 0 so higher level function
--
2.17.1

41
meta-oe/recipes-kernel/ipmitool/ipmitool/0001-hpmfwupg-move-variable-definition-to-.c-file.patch
View File

@ -1,41 +0,0 @@
From 3f7bb7218181745ca7762c1b4832cbb1c9e692f5 Mon Sep 17 00:00:00 2001
From: Vaclav Dolezal <vdolezal@redhat.com>
Date: Thu, 23 Jan 2020 11:26:32 +0100
Subject: [PATCH] hpmfwupg: move variable definition to .c file
Upstream-Status: Pending
Signed-off-by: Vaclav Dolezal <vdolezal@redhat.com>
---
include/ipmitool/ipmi_hpmfwupg.h | 2 +-
lib/ipmi_hpmfwupg.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/ipmitool/ipmi_hpmfwupg.h b/include/ipmitool/ipmi_hpmfwupg.h
index de65292..07f597b 100644
--- a/include/ipmitool/ipmi_hpmfwupg.h
+++ b/include/ipmitool/ipmi_hpmfwupg.h
@@ -800,7 +800,7 @@ typedef struct _VERSIONINFO {
char descString[HPMFWUPG_DESC_STRING_LENGTH + 1];
}VERSIONINFO, *PVERSIONINFO;
-VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
+extern VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
#define TARGET_VER (0x01)
#define ROLLBACK_VER (0x02)
diff --git a/lib/ipmi_hpmfwupg.c b/lib/ipmi_hpmfwupg.c
index bbcffc0..d7cdcd6 100644
--- a/lib/ipmi_hpmfwupg.c
+++ b/lib/ipmi_hpmfwupg.c
@@ -58,6 +58,8 @@ ipmi_intf_get_max_request_data_size(struct ipmi_intf * intf);
extern int verbose;
+VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
+
int HpmfwupgUpgrade(struct ipmi_intf *intf, char *imageFilename,
int activate, int, int);
int HpmfwupgValidateImageIntegrity(struct HpmfwupgUpgradeCtx *pFwupgCtx);
--
2.28.0

34
meta-oe/recipes-kernel/ipmitool/ipmitool/0001-ipmi_fru.c-Provide-missing-function-declarations.patch Normal file
View File

@ -0,0 +1,34 @@
From e5bbf96edf776821f29ab67baed22a690bf8ab10 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 2 Sep 2022 07:30:10 -0700
Subject: [PATCH] ipmi_fru.c: Provide missing function declarations
Fixes build with clang-15+
Upstream-Status: Submitted [https://github.com/ipmitool/ipmitool/pull/360]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
lib/ipmi_fru.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
index 3d1d8a1..5c5661c 100644
--- a/lib/ipmi_fru.c
+++ b/lib/ipmi_fru.c
@@ -60,6 +60,13 @@ static const char *section_id[4] = {
"Board Section",
"Product Section"
};
+/* From lib/ipmi_hpmfwupg.c: */
+uint16_t
+ipmi_intf_get_max_request_data_size(struct ipmi_intf * intf);
+
+/* From src/plugins/ipmi_intf.c: */
+uint16_t
+ipmi_intf_get_max_response_data_size(struct ipmi_intf * intf);
static const char * combined_voltage_desc[] = {
"12 V",
--
2.37.3

53
meta-oe/recipes-kernel/ipmitool/ipmitool/0002-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
View File

@ -1,53 +0,0 @@
From 81144cfba131b4ddbfcf9c530274b23bfc7e0ea8 Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 16:51:49 +0000
Subject: [PATCH 2/5] session: Fix buffer overflow in ipmi_get_session_info
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `ipmi_get_session_info` function does not properly check the
response `data_len`, which is used as a copy size, allowing stack buffer
overflow.
Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22]
CVE: CVE-2020-5208
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
lib/ipmi_session.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
index 4855bc4..71bef4c 100644
--- a/lib/ipmi_session.c
+++ b/lib/ipmi_session.c
@@ -319,8 +319,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
}
else
{
- memcpy(&session_info, rsp->data, rsp->data_len);
- print_session_info(&session_info, rsp->data_len);
+ memcpy(&session_info, rsp->data,
+ __min(rsp->data_len, sizeof(session_info)));
+ print_session_info(&session_info,
+ __min(rsp->data_len, sizeof(session_info)));
}
break;
@@ -351,8 +353,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
break;
}
- memcpy(&session_info, rsp->data, rsp->data_len);
- print_session_info(&session_info, rsp->data_len);
+ memcpy(&session_info, rsp->data,
+ __min(rsp->data_len, sizeof(session_info)));
+ print_session_info(&session_info,
+ __min(rsp->data_len, sizeof(session_info)));
} while (i <= session_info.session_slot_count);
break;
--
1.9.1

69
meta-oe/recipes-kernel/ipmitool/ipmitool/0003-channel-Fix-buffer-overflow.patch
View File

@ -1,69 +0,0 @@
From 5057761e30e3a7682edab60f98f631616392ddc6 Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 16:56:38 +0000
Subject: [PATCH 3/3] channel: Fix buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `ipmi_get_channel_cipher_suites` function does not properly check
the final responses `data_len`, which can lead to stack buffer overflow
on the final copy.
Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4]
CVE: CVE-2020-5208
[Make some changes to apply it]
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
include/ipmitool/ipmi_channel.h | 2 ++
lib/ipmi_channel.c | 10 ++++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h
index b138c26..d7cce5e 100644
--- a/include/ipmitool/ipmi_channel.h
+++ b/include/ipmitool/ipmi_channel.h
@@ -77,6 +77,8 @@ struct channel_access_t {
uint8_t user_level_auth;
};
+#define MAX_CIPHER_SUITE_DATA_LEN 0x10
+
/*
* The Get Authentication Capabilities response structure
* From table 22-15 of the IPMI v2.0 spec
diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
index fab2e54..76ecdcd 100644
--- a/lib/ipmi_channel.c
+++ b/lib/ipmi_channel.c
@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
return -1;
}
- if (rsp->ccode > 0) {
+ if (rsp->ccode
+ || rsp->data_len < 1
+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
+ {
lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
val2str(rsp->ccode, completion_code_vals));
return -1;
@@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
return -1;
}
- if (rsp->ccode > 0) {
+ if (rsp->ccode
+ || rsp->data_len < 1
+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
+ {
lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
val2str(rsp->ccode, completion_code_vals));
return -1;
--
2.18.1

94
meta-oe/recipes-kernel/ipmitool/ipmitool/0004-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
View File

@ -1,94 +0,0 @@
From e6aa6076f65e71544bd6450d20d943d7baaccb9f Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 17:06:39 +0000
Subject: [PATCH 4/5] lanp: Fix buffer overflows in get_lan_param_select
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `get_lan_param_select` function is missing a validation check on the
responses `data_len`, which it then returns to caller functions, where
stack buffer overflow can occur.
Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10]
CVE: CVE-2020-5208
[Make some changes to apply it]
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
lib/ipmi_lanp.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
index 060e753..dee21ee 100644
--- a/lib/ipmi_lanp.c
+++ b/lib/ipmi_lanp.c
@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
/* set new ipaddr */
memcpy(data+3, temp, 4);
printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
@@ -1932,7 +1932,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
/* set new macaddr */
memcpy(data+7, temp, 6);
printf("Setting LAN Alert %d MAC Address to "
@@ -1947,7 +1947,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
if (strncasecmp(argv[1], "def", 3) == 0 ||
strncasecmp(argv[1], "default", 7) == 0) {
@@ -1973,7 +1973,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
if (strncasecmp(argv[1], "on", 2) == 0 ||
strncasecmp(argv[1], "yes", 3) == 0) {
@@ -1998,7 +1998,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
if (strncasecmp(argv[1], "pet", 3) == 0) {
printf("Setting LAN Alert %d destination to PET Trap\n", alert);
@@ -2026,7 +2026,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
if (str2uchar(argv[1], &data[2]) != 0) {
lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
@@ -2042,7 +2042,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
if (p == NULL) {
return (-1);
}
- memcpy(data, p->data, p->data_len);
+ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
if (str2uchar(argv[1], &data[3]) != 0) {
lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
--
1.9.1

142
meta-oe/recipes-kernel/ipmitool/ipmitool/0005-fru-sdr-Fix-id_string-buffer-overflows.patch
View File

@ -1,142 +0,0 @@
From 26e64ca78ae844c5ceedde89531e2924d7d4594c Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 17:13:45 +0000
Subject: [PATCH 5/5] fru, sdr: Fix id_string buffer overflows
Final part of the fixes for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
9 variants of stack buffer overflow when parsing `id_string` field of
SDR records returned from `CMD_GET_SDR` command.
SDR record structs have an `id_code` field, and an `id_string` `char`
array.
The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
which can be larger than expected 16 characters (if `id_code = 0xff`,
then length will be `(0xff & 0x1f) + 1 = 32`).
In numerous places, this can cause stack buffer overflow when copying
into fixed buffer of size `17` bytes from this calculated length.
Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637]
CVE: CVE-2020-5208
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
lib/ipmi_fru.c | 2 +-
lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
2 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
index b71ea23..1decea2 100644
--- a/lib/ipmi_fru.c
+++ b/lib/ipmi_fru.c
@@ -3038,7 +3038,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru)
return 0;
memset(desc, 0, sizeof(desc));
- memcpy(desc, fru->id_string, fru->id_code & 0x01f);
+ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
desc[fru->id_code & 0x01f] = 0;
printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
index fa7b082..175a86f 100644
--- a/lib/ipmi_sdr.c
+++ b/lib/ipmi_sdr.c
@@ -2113,7 +2113,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf,
return -1;
memset(desc, 0, sizeof (desc));
- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
+ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
if (verbose) {
printf("Sensor ID : %s (0x%x)\n",
@@ -2164,7 +2164,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf,
return -1;
memset(desc, 0, sizeof (desc));
- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
+ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
if (verbose == 0) {
if (csv_output)
@@ -2257,7 +2257,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf,
char desc[17];
memset(desc, 0, sizeof (desc));
- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
+ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
if (!verbose) {
if (csv_output)
@@ -2314,7 +2314,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf,
char desc[17];
memset(desc, 0, sizeof (desc));
- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
+ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
if (!verbose) {
if (csv_output)
@@ -2518,35 +2518,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf,uint16_t id,
int rc =0;
char desc[17];
+ const char *id_string;
+ uint8_t id_code;
memset(desc, ' ', sizeof (desc));
switch ( type) {
case SDR_RECORD_TYPE_FULL_SENSOR:
record.full = (struct sdr_record_full_sensor *) raw;
- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
- (const char *)record.full->id_string);
+ id_code = record.full->id_code;
+ id_string = record.full->id_string;
break;
+
case SDR_RECORD_TYPE_COMPACT_SENSOR:
record.compact = (struct sdr_record_compact_sensor *) raw ;
- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s",
- (const char *)record.compact->id_string);
+ id_code = record.compact->id_code;
+ id_string = record.compact->id_string;
break;
+
case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
record.eventonly = (struct sdr_record_eventonly_sensor *) raw ;
- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s",
- (const char *)record.eventonly->id_string);
- break;
+ id_code = record.eventonly->id_code;
+ id_string = record.eventonly->id_string;
+ break;
+
case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
record.mcloc = (struct sdr_record_mc_locator *) raw ;
- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s",
- (const char *)record.mcloc->id_string);
+ id_code = record.mcloc->id_code;
+ id_string = record.mcloc->id_string;
break;
+
default:
rc = -1;
- break;
- }
+ }
+ if (!rc) {
+ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
+ }
- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
return rc;
}
--
1.9.1

31
meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb → meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.19.bb
View File

@ -21,24 +21,31 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://COPYING;md5=9aa91e13d644326bf281924212862184"
DEPENDS = "openssl readline ncurses"
SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \
file://0001-Migrate-to-openssl-1.1.patch \
file://0001-fru-Fix-buffer-overflow-vulnerabilities.patch \
file://0001-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch \
file://0002-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch \
file://0003-channel-Fix-buffer-overflow.patch \
file://0004-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch \
file://0005-fru-sdr-Fix-id_string-buffer-overflows.patch \
file://0001-hpmfwupg-move-variable-definition-to-.c-file.patch \
SRCREV = "19d78782d795d0cf4ceefe655f616210c9143e62"
SRC_URI = "git://github.com/ipmitool/ipmitool;protocol=https;branch=master \
${IANA_ENTERPRISE_NUMBERS} \
file://0001-ipmi_fru.c-Provide-missing-function-declarations.patch \
file://0001-configure-Remove-the-logic-to-download-IANA-PEN-data.patch \
"
SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3"
SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01"
IANA_ENTERPRISE_NUMBERS ?= ""
# Add these via bbappend if this database is needed by the system
#IANA_ENTERPRISE_NUMBERS ?= "http://www.iana.org/assignments/enterprise-numbers;name=iana-enterprise-numbers;downloadfilename=iana-enterprise-numbers"
#SRC_URI[iana-enterprise-numbers.sha256sum] = "cdd97fc08325667434b805eb589104ae63f7a9eb720ecea73cb55110b383934c"
S = "${WORKDIR}/git"
inherit autotools
do_install:append() {
if [ -e ${WORKDIR}/iana-enterprise-numbers ]; then
install -Dm 0755 ${WORKDIR}/iana-enterprise-numbers ${D}${datadir}/misc/enterprise-numbers
fi
}
PACKAGES =+ "${PN}-ipmievd"
FILES:${PN}-ipmievd += "${sbindir}/ipmievd"
FILES:${PN} += "${datadir}/misc"
# --disable-dependency-tracking speeds up the build
# --enable-file-security adds some security checks