u-boot.git/net, branch v2022.07 Unnamed repository; edit this file 'description' to name the repository. net: Fix discuss discard typo 2022-06-16T22:51:07+00:00 Marek Vasut marex@denx.de 2022-05-01T16:43:55+00:00 3c07d639ede998cb682c284d1ffc4a3ddb062e13 Replace discuss with discard, that is what happens with packet with incorrect checksum. Fix the typo. Fixes: 4b37fd146bb ("Convert CONFIG_UDP_CHECKSUM to Kconfig") Signed-off-by: Marek Vasut <marex@denx.de> Cc: Ramon Fried <rfried.dev@gmail.com> Cc: Simon Glass <sjg@chromium.org> 
Replace discuss with discard, that is what happens with packet with
incorrect checksum. Fix the typo.

Fixes: 4b37fd146bb ("Convert CONFIG_UDP_CHECKSUM to Kconfig")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Ramon Fried <rfried.dev@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
net: Check for the minimum IP fragmented datagram size 2022-06-03T15:15:24+00:00 Fabio Estevam festevam@denx.de 2022-05-26T14:14:37+00:00 b85d130ea0cac152c21ec38ac9417b31d41b5552 Nicolas Bidron and Nicolas Guigo reported the two bugs below: " ----------BUG 1---------- In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of `ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE` and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len` comprised between `0` and `7`. This will ultimately result in a truncated division by `8` resulting value of `0` forcing the hole metadata and fragment to point to the same location. The subsequent memcopy will overwrite the hole metadata with the fragment data. Through a second fragment, this can be exploited to write to an arbitrary offset controlled by that overwritten hole metadata value. This bug is only exploitable locally as it requires crafting two packets the first of which would most likely be dropped through routing due to its unexpectedly low Total Length. However, this bug can potentially be exploited to root linux based embedded devices locally. ```C static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) { static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN); static u16 first_hole, total_len; struct hole *payload, *thisfrag, *h, *newh; struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff; uchar *indata = (uchar *)ip; int offset8, start, len, done = 0; u16 ip_off = ntohs(ip->ip_off); /* payload starts after IP header, this fragment is in there */ payload = (struct hole *)(pkt_buff + IP_HDR_SIZE); offset8 = (ip_off & IP_OFFS); thisfrag = payload + offset8; start = offset8 * 8; len = ntohs(ip->ip_len) - IP_HDR_SIZE; ``` The last line of the previous excerpt from `u-boot/net/net.c` shows how the attacker can control the value of `len` to be strictly lower than `8` by issuing a packet with `ip_len` between `21` and `27` (`IP_HDR_SIZE` has a value of `20`). Also note that `offset8` here is `0` which leads to `thisfrag = payload`. ```C } else if (h >= thisfrag) { /* overlaps with initial part of the hole: move this hole */ newh = thisfrag + (len / 8); *newh = *h; h = newh; if (h->next_hole) payload[h->next_hole].prev_hole = (h - payload); if (h->prev_hole) payload[h->prev_hole].next_hole = (h - payload); else first_hole = (h - payload); } else { ``` Lower down the same function, execution reaches the above code path. Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note that `first_hole` here is `0` since `h` and `payload` point to the same location. ```C /* finally copy this fragment and possibly return whole packet */ memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len); ``` Finally, in the above excerpt the `memcpy` overwrites the hole metadata since `thisfrag` and `h` both point to the same location. The hole metadata is effectively overwritten with arbitrary data from the fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`, `next_hole`, and `prev_hole` of the `first_hole` can be controlled by the attacker. Finally the arbitrary offset write occurs through a second fragment that only needs to be crafted to write data in the hole pointed to by the previously controlled hole metadata (`next_hole`) from the first packet. ### Recommendation Handle cases where `len` is strictly lower than 8 by preventing the overwrite of the hole metadata during the memcpy of the fragment. This could be achieved by either: * Moving the location where the hole metadata is stored when `len` is lower than `8`. * Or outright rejecting fragmented IP datagram with a Total Length (`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP datagram size (as defined as the minimum fragment of 8 octets in the IP Specification Document: [RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 25). ----------BUG 2---------- In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of `ip->ip_len` (IP packet header's Total Length) lower than `IP_HDR_SIZE` will lead to a negative value for `len` which will ultimately result in a buffer overflow during the subsequent `memcpy` that uses `len` as it's `count` parameter. This bug is only exploitable on local ethernet as it requires crafting an invalid packet to include an unexpected `ip_len` value in the IP UDP header that's lower than the minimum accepted Total Length of a packet (21 as defined in the IP Specification Document: [RFC791](https://datatracker.ietf.org/doc/html/rfc791)). Such packet would in all likelihood be dropped while being routed to its final destination through most routing equipment and as such requires the attacker to be in a local position in order to be exploited. ```C static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) { static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN); static u16 first_hole, total_len; struct hole *payload, *thisfrag, *h, *newh; struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff; uchar *indata = (uchar *)ip; int offset8, start, len, done = 0; u16 ip_off = ntohs(ip->ip_off); /* payload starts after IP header, this fragment is in there */ payload = (struct hole *)(pkt_buff + IP_HDR_SIZE); offset8 = (ip_off & IP_OFFS); thisfrag = payload + offset8; start = offset8 * 8; len = ntohs(ip->ip_len) - IP_HDR_SIZE; ``` The last line of the previous excerpt from `u-boot/net/net.c` shows where the underflow to a negative `len` value occurs if `ip_len` is set to a value strictly lower than 20 (`IP_HDR_SIZE` being 20). Also note that in the above excerpt the `pkt_buff` buffer has a size of `CONFIG_NET_MAXDEFRAG` which defaults to 16 KB but can range from 1KB to 64 KB depending on configurations. ```C /* finally copy this fragment and possibly return whole packet */ memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len); ``` In the above excerpt the `memcpy` overflows the destination by attempting to make a copy of nearly 4 gigabytes in a buffer that's designed to hold `CONFIG_NET_MAXDEFRAG` bytes at most which leads to a DoS. ### Recommendation Stop processing of the packet if `ip_len` is lower than 21 (as defined by the minimum length of a data carrying datagram in the IP Specification Document: [RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 34)." Add a check for ip_len lesser than 28 and stop processing the packet in this case. Such a check covers the two reported bugs. Reported-by: Nicolas Bidron <nicolas.bidron@nccgroup.com> Signed-off-by: Fabio Estevam <festevam@denx.de> 
Nicolas Bidron and Nicolas Guigo reported the two bugs below:

"
----------BUG 1----------

In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE`
and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len`
comprised between `0` and `7`. This will ultimately result in a
truncated division by `8` resulting value of `0` forcing the hole
metadata and fragment to point to the same location. The subsequent
memcopy will overwrite the hole metadata with the fragment data. Through
a second fragment, this can be exploited to write to an arbitrary offset
controlled by that overwritten hole metadata value.

This bug is only exploitable locally as it requires crafting two packets
the first of which would most likely be dropped through routing due to
its unexpectedly low Total Length. However, this bug can potentially be
exploited to root linux based embedded devices locally.

```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
     static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
     static u16 first_hole, total_len;
     struct hole *payload, *thisfrag, *h, *newh;
     struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
     uchar *indata = (uchar *)ip;
     int offset8, start, len, done = 0;
     u16 ip_off = ntohs(ip->ip_off);

     /* payload starts after IP header, this fragment is in there */
     payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
     offset8 =  (ip_off & IP_OFFS);
     thisfrag = payload + offset8;
     start = offset8 * 8;
     len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```

The last line of the previous excerpt from `u-boot/net/net.c` shows how
the attacker can control the value of `len` to be strictly lower than
`8` by issuing a packet with `ip_len` between `21` and `27`
(`IP_HDR_SIZE` has a value of `20`).

Also note that `offset8` here is `0` which leads to `thisfrag = payload`.

```C
     } else if (h >= thisfrag) {
         /* overlaps with initial part of the hole: move this hole */
         newh = thisfrag + (len / 8);
         *newh = *h;
         h = newh;
         if (h->next_hole)
             payload[h->next_hole].prev_hole = (h - payload);
         if (h->prev_hole)
             payload[h->prev_hole].next_hole = (h - payload);
         else
             first_hole = (h - payload);

     } else {
```

Lower down the same function, execution reaches the above code path.
Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note
that `first_hole` here is `0` since `h` and `payload` point to the same
location.

```C
     /* finally copy this fragment and possibly return whole packet */
     memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```

Finally, in the above excerpt the `memcpy` overwrites the hole metadata
since `thisfrag` and `h` both point to the same location. The hole
metadata is effectively overwritten with arbitrary data from the
fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`,
`next_hole`, and `prev_hole` of the `first_hole` can be controlled by
the attacker.

Finally the arbitrary offset write occurs through a second fragment that
only needs to be crafted to write data in the hole pointed to by the
previously controlled hole metadata (`next_hole`) from the first packet.

 ### Recommendation

Handle cases where `len` is strictly lower than 8 by preventing the
overwrite of the hole metadata during the memcpy of the fragment. This
could be achieved by either:
* Moving the location where the hole metadata is stored when `len` is
lower than `8`.
* Or outright rejecting fragmented IP datagram with a Total Length
(`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP
datagram size (as defined as the minimum fragment of 8 octets in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 25).

----------BUG 2----------

In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) lower than `IP_HDR_SIZE`
will lead to a negative value for `len` which will ultimately result in
a buffer overflow during the subsequent `memcpy` that uses `len` as it's
`count` parameter.

This bug is only exploitable on local ethernet as it requires crafting
an invalid packet to include an unexpected `ip_len` value in the IP UDP
header that's lower than the minimum accepted Total Length of a packet
(21 as defined in the IP Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791)). Such packet
would in all likelihood be dropped while being routed to its final
destination through most routing equipment and as such requires the
attacker to be in a local position in order to be exploited.

```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
     static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
     static u16 first_hole, total_len;
     struct hole *payload, *thisfrag, *h, *newh;
     struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
     uchar *indata = (uchar *)ip;
     int offset8, start, len, done = 0;
     u16 ip_off = ntohs(ip->ip_off);

     /* payload starts after IP header, this fragment is in there */
     payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
     offset8 =  (ip_off & IP_OFFS);
     thisfrag = payload + offset8;
     start = offset8 * 8;
     len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```

The last line of the previous excerpt from `u-boot/net/net.c` shows
where the underflow to a negative `len` value occurs if `ip_len` is set
to a value strictly lower than 20 (`IP_HDR_SIZE` being 20). Also note
that in the above excerpt the `pkt_buff` buffer has a size of
`CONFIG_NET_MAXDEFRAG` which defaults to 16 KB but can range from 1KB to
64 KB depending on configurations.

```C
     /* finally copy this fragment and possibly return whole packet */
     memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```

In the above excerpt the `memcpy` overflows the destination by
attempting to make a copy of nearly 4 gigabytes in a buffer that's
designed to hold `CONFIG_NET_MAXDEFRAG` bytes at most which leads to a DoS.

 ### Recommendation

Stop processing of the packet if `ip_len` is lower than 21 (as defined
by the minimum length of a data carrying datagram in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 34)."

Add a check for ip_len lesser than 28 and stop processing the packet
in this case.

Such a check covers the two reported bugs.

Reported-by: Nicolas Bidron <nicolas.bidron@nccgroup.com>
Signed-off-by: Fabio Estevam <festevam@denx.de>
net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196) 2022-05-26T14:32:06+00:00 Andrea zi0Black Cappa zi0Black@protonmail.com 2022-05-18T16:30:08+00:00 bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 This patch mitigates the vulnerability identified via CVE-2019-14196. The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks. Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com> 
This patch mitigates the vulnerability identified via CVE-2019-14196.

The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.

Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
net: mdio-uclass: add dm_phy_find_by_ofnode() helper 2022-05-04T05:05:51+00:00 Marek Behún marek.behun@nic.cz 2022-04-27T10:41:49+00:00 00b1bad961fff51db71573f5fc6e4e35b47381b2 Add helper to resolve PHY node from it's ofnode via DM MDIO subsystem. Signed-off-by: Marek Behún <marek.behun@nic.cz> Reviewed-by: Ramon Fried <rfried.dev@gmail.com> Reviewed-by: Stefan Roese <sr@denx.de> 
Add helper to resolve PHY node from it's ofnode via DM MDIO subsystem.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
bootstd: ethernet: Add a bootdev driver 2022-04-25T14:00:04+00:00 Simon Glass sjg@chromium.org 2022-04-25T05:31:15+00:00 4fd8d077cb6986385fa8af1b9b11f0fb2cdeb609 Add a bootdev driver for Ethernet. It can use the PXE boot mechanism to locate a file, added later. Signed-off-by: Simon Glass <sjg@chromium.org> 
Add a bootdev driver for Ethernet. It can use the PXE boot mechanism to
locate a file, added later.

Signed-off-by: Simon Glass <sjg@chromium.org>
Allow colon in PXE bootfile URLs 2022-04-22T19:44:10+00:00 Lyle Franklin lylejfranklin@gmail.com 2022-04-16T15:36:43+00:00 85f8e03b2a9bae37284b57ca571b7037e904c5d3 - U-boot's PXE flow supports prefixing your bootfile name with an IP address to fetch from a server other than the DHCP server, e.g. `hostIPaddr:bootfilename`: https://github.com/u-boot/u-boot/commit/a93907c43f847f076dd0e34ee3b69b5e8e6d0d29 - However, this breaks bootfile paths which contain a colon, e.g. `f0:ad:4e:10:1b:87/7/pxelinux.cfg/default` - This patch checks whether the `hostIPaddr` prefix is a valid IP address before overriding the serverIP otherwise the whole bootfile path is preserved Signed-off-by: Lyle Franklin <lylejfranklin@gmail.com> 
- U-boot's PXE flow supports prefixing your bootfile name with an
  IP address to fetch from a server other than the DHCP server,
  e.g. `hostIPaddr:bootfilename`:
  https://github.com/u-boot/u-boot/commit/a93907c43f847f076dd0e34ee3b69b5e8e6d0d29
- However, this breaks bootfile paths which contain a colon, e.g.
  `f0:ad:4e:10:1b:87/7/pxelinux.cfg/default`
- This patch checks whether the `hostIPaddr` prefix is a valid
  IP address before overriding the serverIP otherwise the whole
  bootfile path is preserved

Signed-off-by: Lyle Franklin <lylejfranklin@gmail.com>
net: tftp: fix tftp server initialization 2022-04-12T19:41:27+00:00 Arjan Minzinga Zijlstra arjan.minzingazijlstra@fox-it.com 2022-03-31T08:03:16+00:00 1ffe366881a3fd474737f67f2e9fb5bf40104fd3 Some globals where not properly initialized causing timeouts as data packets where not immediately acknowledged. Fixes: cc6b87ecaa96 ("net: tftp: Add client support for RFC 7440") Signed-off-by: Arjan Minzinga Zijlstra <arjan.minzingazijlstra@fox-it.com> Reviewed-by: Ramon Fried <rfried.dev@gmail.com> 
Some globals where not properly initialized causing timeouts
as data packets where not immediately acknowledged.

Fixes: cc6b87ecaa96 ("net: tftp: Add client support for RFC 7440")
Signed-off-by: Arjan Minzinga Zijlstra <arjan.minzingazijlstra@fox-it.com>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
treewide: Rename PHY_INTERFACE_MODE_NONE to PHY_INTERFACE_MODE_NA 2022-04-10T05:44:13+00:00 Marek Behún marek.behun@nic.cz 2022-04-06T22:33:03+00:00 ffb0f6f488b9eee2822c3c691778a26e1590694c Rename constant PHY_INTERFACE_MODE_NONE to PHY_INTERFACE_MODE_NA to make it compatible with Linux' naming. Signed-off-by: Marek Behún <marek.behun@nic.cz> Reviewed-by: Stefan Roese <sr@denx.de> Reviewed-by: Ramon Fried <rfried.dev@gmail.com> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> 
Rename constant PHY_INTERFACE_MODE_NONE to PHY_INTERFACE_MODE_NA to make
it compatible with Linux' naming.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
net: introduce helpers to get PHY interface mode from a device/ofnode 2022-04-10T05:44:12+00:00 Marek Behún marek.behun@nic.cz 2022-04-06T22:33:01+00:00 123ca114e07ecf28aa2538748d733e2b22d8b8b5 Add helpers ofnode_read_phy_mode() and dev_read_phy_mode() to parse the "phy-mode" / "phy-connection-type" property. Add corresponding UT test. Use them treewide. This allows us to inline the phy_get_interface_by_name() into ofnode_read_phy_mode(), since the former is not used anymore. Signed-off-by: Marek Behún <marek.behun@nic.cz> Reviewed-by: Ramon Fried <rfried.dev@gmail.com> Tested-by: Patrice Chotard <patrice.chotard@foss.st.com> 
Add helpers ofnode_read_phy_mode() and dev_read_phy_mode() to parse the
"phy-mode" / "phy-connection-type" property. Add corresponding UT test.

Use them treewide.

This allows us to inline the phy_get_interface_by_name() into
ofnode_read_phy_mode(), since the former is not used anymore.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
Tested-by: Patrice Chotard <patrice.chotard@foss.st.com>
treewide: use dm_mdio_read/write/reset() wrappers 2022-04-10T05:44:12+00:00 Marek Behún marek.behun@nic.cz 2022-04-06T22:32:59+00:00 1776a24bbbb9afe9cc2a52990c1cee8c48faa20f Use the new dm_mdio_read/write/reset() wrappers treewide, instead of always getting and dereferencing MDIO operations structure pointer. Signed-off-by: Marek Behún <marek.behun@nic.cz> Reviewed-by: Ramon Fried <rfried.dev@gmail.com> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> 
Use the new dm_mdio_read/write/reset() wrappers treewide, instead of
always getting and dereferencing MDIO operations structure pointer.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>