fix CVE-2022-2347

backport-0001-CVE-2022-2347.patch

@@ -0,0 +1,122 @@
+From fbce985e28eaca3af82afecc11961aadaf971a7e Mon Sep 17 00:00:00 2001
+From: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
+Date: Thu, 3 Nov 2022 09:37:48 +0530
+Subject: [PATCH] usb: gadget: dfu: Fix the unchecked length field
+
+DFU implementation does not bound the length field in USB
+DFU download setup packets, and it does not verify that
+the transfer direction. Fixing the length and transfer
+direction.
+
+CVE-2022-2347
+
+Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+---
+ drivers/usb/gadget/f_dfu.c | 56 ++++++++++++++++++++++++--------------
+ 1 file changed, 37 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index e9340ff5cb4d..33ef62f8babe 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -321,21 +321,29 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (len == 0) {
+-			f_dfu->dfu_state = DFU_STATE_dfuERROR;
+-			value = RET_STALL;
+-			break;
++		if (ctrl->bRequestType == USB_DIR_OUT) {
++			if (len == 0) {
++				f_dfu->dfu_state = DFU_STATE_dfuERROR;
++				value = RET_STALL;
++				break;
++			}
++			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++			f_dfu->blk_seq_num = w_value;
++			value = handle_dnload(gadget, len);
+ 		}
+-		f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_dnload(gadget, len);
+ 		break;
+ 	case USB_REQ_DFU_UPLOAD:
+-		f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+-		f_dfu->blk_seq_num = 0;
+-		value = handle_upload(req, len);
++		if (ctrl->bRequestType == USB_DIR_IN) {
++			f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
++			f_dfu->blk_seq_num = 0;
++			value = handle_upload(req, len);
++			if (value >= 0 && value < len)
++				f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		/* no zlp? */
+@@ -426,11 +432,15 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_dnload(gadget, len);
++		if (ctrl->bRequestType == USB_DIR_OUT) {
++			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++			f_dfu->blk_seq_num = w_value;
++			value = handle_dnload(gadget, len);
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -513,13 +523,17 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_UPLOAD:
+-		/* state transition if less data then requested */
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_upload(req, len);
+-		if (value >= 0 && value < len)
+-			f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		if (ctrl->bRequestType == USB_DIR_IN) {
++			/* state transition if less data then requested */
++			f_dfu->blk_seq_num = w_value;
++			value = handle_upload(req, len);
++			if (value >= 0 && value < len)
++				f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -595,6 +609,8 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ 	int value = 0;
+ 	u8 req_type = ctrl->bRequestType & USB_TYPE_MASK;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	debug("w_value: 0x%x len: 0x%x\n", w_value, len);
+ 	debug("req_type: 0x%x ctrl->bRequest: 0x%x f_dfu->dfu_state: 0x%x\n",
+ 	       req_type, ctrl->bRequest, f_dfu->dfu_state);
+@@ -614,7 +630,7 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ 		value = dfu_state[f_dfu->dfu_state] (f_dfu, ctrl, gadget, req);
+ 
+ 	if (value >= 0) {
+-		req->length = value;
++		req->length = value > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : value;
+ 		req->zero = value < len;
+ 		value = usb_ep_queue(gadget->ep0, req, 0);
+ 		if (value < 0) {

backport-0002-CVE-2022-2347.patch

@@ -0,0 +1,59 @@
+From 14dc0ab138988a8e45ffa086444ec8db48b3f103 Mon Sep 17 00:00:00 2001
+From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Date: Wed, 30 Nov 2022 09:29:16 +0100
+Subject: [PATCH] usb: gadget: dfu: Fix check of transfer direction
+
+Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
+blocks DFU usb requests.
+The verification of the transfer direction was done by an equality
+but it is a bit mask.
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Reviewed-by: Fabio Estevam <festevam@denx.de>
+Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Tested-by: Marek Vasut <marex@denx.de>
+---
+ drivers/usb/gadget/f_dfu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index 33ef62f8babe..44877df4ec6b 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (ctrl->bRequestType == USB_DIR_OUT) {
++		if (!(ctrl->bRequestType & USB_DIR_IN)) {
+ 			if (len == 0) {
+ 				f_dfu->dfu_state = DFU_STATE_dfuERROR;
+ 				value = RET_STALL;
+@@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 		}
+ 		break;
+ 	case USB_REQ_DFU_UPLOAD:
+-		if (ctrl->bRequestType == USB_DIR_IN) {
++		if (ctrl->bRequestType & USB_DIR_IN) {
+ 			f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+ 			f_dfu->blk_seq_num = 0;
+ 			value = handle_upload(req, len);
+@@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
+ 
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (ctrl->bRequestType == USB_DIR_OUT) {
++		if (!(ctrl->bRequestType & USB_DIR_IN)) {
+ 			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+ 			f_dfu->blk_seq_num = w_value;
+ 			value = handle_dnload(gadget, len);
+@@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+ 
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_UPLOAD:
+-		if (ctrl->bRequestType == USB_DIR_IN) {
++		if (ctrl->bRequestType & USB_DIR_IN) {
+ 			/* state transition if less data then requested */
+ 			f_dfu->blk_seq_num = w_value;
+ 			value = handle_upload(req, len);

uboot-tools.spec

@@ -3,7 +3,7 @@
 
 Name:           uboot-tools
 Version:        2020.07
-Release:        7
+Release:        8
 Summary:        tools for U-Boot
 License:        GPL-2.0-or-later and Public Domain and GPL-2.0-only
 URL:            http://www.denx.de/wiki/U-Boot
@@ -36,6 +36,8 @@ Patch0014:      backport-0001-CVE-2021-27138.patch
 Patch0015:      backport-0002-CVE-2021-27138.patch
 Patch0016:	backport-CVE-2022-34835.patch
 Patch0017:	backport-CVE-2022-30767.patch
+Patch0018:      backport-0001-CVE-2022-2347.patch
+Patch0019:      backport-0002-CVE-2022-2347.patch
 
 BuildRequires:  bc dtc gcc make flex bison git-core openssl-devel gdb
 BuildRequires:  python-unversioned-command python3-devel python3-setuptools
@@ -258,6 +260,9 @@ cp -p board/warp7/README builds/docs/README.warp7
 %{_mandir}/man1/mkimage.1*
 
 %changelog
+* Tue Sep 24 2024 lingsheng <lingsheng1@h-partners.com> -2020.07-8
+- fix CVE-2022-2347
+
 * Wed Sep 28 2022 zhouwenpei <zhouwenpei1@h-partners.com> -2020.07-7
 - fix CVE-2022-30767