!65 [sync] PR-63: fix CVE-2022-30767

From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-CVE-2022-30767.patch

@@ -0,0 +1,44 @@
+From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Mon Sep 17 00:00:00 2001
+From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Date: Wed, 18 May 2022 16:30:08 +0000
+Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
+
+This patch mitigates the vulnerability identified via CVE-2019-14196.
+
+The previous patch was bypassed/ineffective, and now the vulnerability
+is identified via CVE-2022-30767. The patch removes the sanity check
+introduced to mitigate CVE-2019-14196 since it's ineffective.
+filefh3_length is changed to unsigned type integer, preventing negative
+numbers from being used during comparison with positive values during
+size sanity checks.
+
+Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+---
+ net/nfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index 3c01cebd96..9152ab742e 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
+ 
+ static char dirfh[NFS_FHSIZE];	/* NFSv2 / NFSv3 file handle of directory */
+ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
+-static int filefh3_length;	/* (variable) length of filefh when NFSv3 */
++static unsigned int filefh3_length;	/* (variable) length of filefh when NFSv3 */
+ 
+ static enum net_loop_state nfs_download_state;
+ static struct in_addr nfs_server_ip;
+@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
+ 		filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+ 		if (filefh3_length > NFS3_FHSIZE)
+ 			filefh3_length  = NFS3_FHSIZE;
+-		if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
+-			return -NFS_RPC_DROP;
+ 		memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
+ 	}
+ 
+-- 
+GitLab
+

backport-CVE-2022-33967.patch

@@ -0,0 +1,52 @@
+From e40e9a32dd411f444d6e2ed73c517ee584a386ae Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 20 Jul 2022 09:18:20 +0000
+Subject: [PATCH] fs/squashfs: Use kcalloc when relevant 
+A crafted squashfs image could embed a huge number of empty metadata
+blocks in order to make the amount of malloc()'d memory overflow and be
+much smaller than expected. Because of this flaw, any random code
+positioned at the right location in the squashfs image could be memcpy'd
+from the squashfs structures into U-Boot code location while trying to
+access the rearmost blocks, before being executed.
+
+In order to prevent this vulnerability from being exploited in eg. a
+secure boot environment, let's add a check over the amount of data
+that is going to be allocated. Such a check could look like:
+
+if (!elem_size || n > SIZE_MAX / elem_size)
+	return NULL;
+
+The right way to do it would be to enhance the calloc() implementation
+but this is quite an impacting change for such a small fix. Another
+solution would be to add the check before the malloc call in the
+squashfs implementation, but this does not look right. So for now, let's
+use the kcalloc() compatibility function fro...
+---
+ fs/squashfs/sqfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 92ab8ac6..ef4b5836 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -13,6 +13,7 @@
+ #include <linux/types.h>
+ #include <linux/byteorder/little_endian.h>
+ #include <linux/byteorder/generic.h>
++#include <linux/compat.h>
+ #include <memalign.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
+ 		goto free_itb;
+ 	}
+ 
+-	*inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE);
++	*inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
++			       GFP_KERNEL);
+ 	if (!*inode_table) {
+ 		ret = -ENOMEM;
+ 		goto free_itb;
+-- 
+2.33.0
+

backport-CVE-2022-34835.patch

@@ -0,0 +1,118 @@
+From 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
+Date: Fri, 10 Jun 2022 14:50:25 +0000
+Subject: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md
+ command
+
+When running "i2c md 0 0 80000100", the function do_i2c_md parses the
+length into an unsigned int variable named length. The value is then
+moved to a signed variable:
+
+    int nbytes = length;
+    #define DISP_LINE_LEN 16
+    int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
+    ret = dm_i2c_read(dev, addr, linebuf, linebytes);
+
+On systems where integers are 32 bits wide, 0x80000100 is a negative
+value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
+0x80000100 instead of 16.
+
+The consequence is that the function which reads from the i2c device
+(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
+but with a size parameter which is too large. In some cases, this could
+trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
+(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
+a 16-bit integer. This is because function i2c_transfer expects an
+unsigned short length. In such a case, an attacker who can control the
+response of an i2c device can overwrite the return address of a function
+and execute arbitrary code through Return-Oriented Programming.
+
+Fix this issue by using unsigned integers types in do_i2c_md. While at
+it, make also alen unsigned, as signed sizes can cause vulnerabilities
+when people forgot to check that they can be negative.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
+Reviewed-by: Heiko Schocher <hs@denx.de>
+---
+ cmd/i2c.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/cmd/i2c.c b/cmd/i2c.c
+index 9050b2b8d27a..bd04b14024be 100644
+--- a/cmd/i2c.c
++++ b/cmd/i2c.c
+@@ -200,10 +200,10 @@ void i2c_init_board(void)
+  *
+  * Returns the address length.
+  */
+-static uint get_alen(char *arg, int default_len)
++static uint get_alen(char *arg, uint default_len)
+ {
+-	int	j;
+-	int	alen;
++	uint	j;
++	uint	alen;
+ 
+ 	alen = default_len;
+ 	for (j = 0; j < 8; j++) {
+@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ 	uint	chip;
+ 	uint	devaddr, length;
+-	int alen;
++	uint	alen;
+ 	u_char  *memaddr;
+ 	int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ 	uint	chip;
+ 	uint	devaddr, length;
+-	int alen;
++	uint	alen;
+ 	u_char  *memaddr;
+ 	int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ 	uint	chip;
+ 	uint	addr, length;
+-	int alen;
+-	int	j, nbytes, linebytes;
++	uint	alen;
++	uint	j, nbytes, linebytes;
+ 	int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+ 	struct udevice *dev;
+@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ 	uint	chip;
+ 	ulong	addr;
+-	int	alen;
++	uint	alen;
+ 	uchar	byte;
+-	int	count;
++	uint	count;
+ 	int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+ 	struct udevice *dev;
+@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ 	uint	chip;
+ 	ulong	addr;
+-	int	alen;
+-	int	count;
++	uint	alen;
++	uint	count;
+ 	uchar	byte;
+ 	ulong	crc;
+ 	ulong	err;
+@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc,
+ 		       char *const argv[])
+ {
+ 	uint	chip;
+-	int alen;
++	uint	alen;
+ 	uint	addr;
+ 	uint	length;
+ 	u_char	bytes[16];

uboot-tools.spec

@@ -3,9 +3,9 @@
 
 Name:           uboot-tools
 Version:        2021.10
-Release:        1
+Release:        7
 Summary:        tools for U-Boot
-License:        GPLv2+ BSD LGPL-2.1+ LGPL-2.0+
+License:        GPL-2.0-or-later and Public Domain and GPL-2.0-only
 URL:            http://www.denx.de/wiki/U-Boot
 Source0:        https://ftp.denx.de/pub/u-boot/u-boot-%{version}.tar.bz2
 Source1:        arm-boards
@@ -19,10 +19,14 @@ Patch6000:      backport-uefi-distro-load-FDT-from-any-partition-on-boot-device.
 Patch6001:      backport-AllWinner-PineTab.patch
 # RPI4
 Patch6002:      backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch
+Patch6003:	backport-CVE-2022-34835.patch
+Patch6004:      backport-CVE-2022-33967.patch
+Patch6005:	backport-CVE-2022-30767.patch
 
 BuildRequires:  bc dtc gcc make flex bison git-core openssl-devel
 BuildRequires:  python3-unversioned-command python3-devel python3-setuptools
 BuildRequires:  python3-libfdt python3-pyelftools SDL-devel swig
+BuildRequires:  perl
 # this required when /usr/bin/python link to python3
 BuildRequires:  python3-devel
 %if %{with_armv8}
@@ -241,6 +245,24 @@ cp -p board/warp7/README builds/docs/README.warp7
 %{_mandir}/man1/mkimage.1*
 
 %changelog
+* Wed Sep 28 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021.10-7
+- fix CVE-2022-30767
+
+* Wed Jul 20 2022 cenhuilin <cenhuilin@kylinos.cn> - 2021.10-6
+- fix CVE-2022-33967
+
+* Tue Jul 12 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021.10-5
+- fix CVE-2022-34835
+
+* Wed May 11 2022 liuyumeng <liuyumeng5@h-partners.com> - 2021.10-4
+- fix license error
+
+* Sat May 07 2022 liuyumeng <liuyumeng5@h-partners.com> - 2021.10-3
+- fix license error
+
+* Wed Apr 13 2022 yangcheng <yangcheng87@h-partners.com> - 2021.10-2
+- Add perl buildrequires to resolve compilation error
+
 * Mon Dec 6 2021 yangcheng <yangcheng87@huawei.com> - 2021.10-1
 - Upgrade to 2021.10