From 3c9574af677c24b969c3baa6a527dabaf97f11a2 Mon Sep 17 00:00:00 2001

From: Laszlo Ersek <lersek@redhat.com>

Date: Mon, 2 Dec 2019 12:31:53 +0100

Subject: [PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Laszlo Ersek <lersek@redhat.com>

Message-id: <20191117220052.15700-6-lersek@redhat.com>

Patchwork-id: 92461

O-Subject: [RHEL-8.2.0 edk2 PATCH 5/9] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)

Bugzilla: 1536624

RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the

edk2-libc project, in commit 964f432b9b0a ("edk2: Remove AppPkg, StdLib,

StdLibPrivateInternalFiles", 2019-04-29).

We'd like to use the inet_pton() function in CryptoPkg. Resurrect the

"inet_pton.c" file from just before the StdLib removal, as follows:

  $ git show \

      964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \

      > CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

The inet_pton() function is only intended for the DXE phase at this time,

therefore only the "BaseCryptLib" instance INF file receives the new file.

Cc: David Woodhouse <dwmw2@infradead.org>

Cc: Jian J Wang <jian.j.wang@intel.com>

Cc: Jiaxin Wu <jiaxin.wu@intel.com>

Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>

Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=960

CVE: CVE-2019-14553

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

(cherry picked from commit 8d16ef8269b2ff373d8da674e59992adfdc032d3)

---

 CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   1 +

 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c | 257 +++++++++++++++++++++

 CryptoPkg/Library/Include/CrtLibSupport.h          |   1 +

 3 files changed, 259 insertions(+)

 create mode 100644 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

index 8d4988e..b5cfd8b 100644

--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

@@ -58,6 +58,7 @@

   SysCall/CrtWrapper.c

   SysCall/TimerWrapper.c

   SysCall/BaseMemAllocation.c

+  SysCall/inet_pton.c

 [Sources.Ia32]

   Rand/CryptRandTsc.c

diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

new file mode 100644

index 0000000..32e1ab8

--- /dev/null

+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

@@ -0,0 +1,257 @@

+/* Copyright (c) 1996 by Internet Software Consortium.

+ *

+ * Permission to use, copy, modify, and distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS

+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE

+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL

+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR

+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS

+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS

+ * SOFTWARE.

+ */

+

+/*

+ * Portions copyright (c) 1999, 2000

+ * Intel Corporation.

+ * All rights reserved.

+ * 

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, this list of conditions and the following disclaimer.

+ * 

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 

+ * 3. All advertising materials mentioning features or use of this software

+ *    must display the following acknowledgement:

+ * 

+ *    This product includes software developed by Intel Corporation and

+ *    its contributors.

+ * 

+ * 4. Neither the name of Intel Corporation or its contributors may be

+ *    used to endorse or promote products derived from this software

+ *    without specific prior written permission.

+ * 

+ * THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS''

+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

+ * ARE DISCLAIMED.  IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE

+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF

+ * THE POSSIBILITY OF SUCH DAMAGE.

+ * 

+ */

+

+#if defined(LIBC_SCCS) && !defined(lint)

+static char rcsid[] = "$Id: inet_pton.c,v 1.1.1.1 2003/11/19 01:51:30 kyu3 Exp $";

+#endif /* LIBC_SCCS and not lint */

+

+#include <sys/param.h>

+#include <sys/types.h>

+#include <sys/socket.h>

+#include <netinet/in.h>

+#include <arpa/inet.h>

+#include <arpa/nameser.h>

+#include <string.h>

+#include <errno.h>

+

+/*

+ * WARNING: Don't even consider trying to compile this on a system where

+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.

+ */

+

+static int	inet_pton4 (const char *src, u_char *dst);

+static int	inet_pton6 (const char *src, u_char *dst);

+

+/* int

+ * inet_pton(af, src, dst)

+ *	convert from presentation format (which usually means ASCII printable)

+ *	to network format (which is usually some kind of binary format).

+ * return:

+ *	1 if the address was valid for the specified address family

+ *	0 if the address wasn't valid (`dst' is untouched in this case)

+ *	-1 if some other error occurred (`dst' is untouched in this case, too)

+ * author:

+ *	Paul Vixie, 1996.

+ */

+int

+inet_pton(

+	int af,

+	const char *src,

+	void *dst

+	)

+{

+	switch (af) {

+	case AF_INET:

+		return (inet_pton4(src, dst));

+	case AF_INET6:

+		return (inet_pton6(src, dst));

+	default:

+		errno = EAFNOSUPPORT;

+		return (-1);

+	}

+	/* NOTREACHED */

+}

+

+/* int

+ * inet_pton4(src, dst)

+ *	like inet_aton() but without all the hexadecimal and shorthand.

+ * return:

+ *	1 if `src' is a valid dotted quad, else 0.

+ * notice:

+ *	does not touch `dst' unless it's returning 1.

+ * author:

+ *	Paul Vixie, 1996.

+ */

+static int

+inet_pton4(

+	const char *src,

+	u_char *dst

+	)

+{

+	static const char digits[] = "0123456789";

+	int saw_digit, octets, ch;

+	u_char tmp[NS_INADDRSZ], *tp;

+

+	saw_digit = 0;

+	octets = 0;

+	*(tp = tmp) = 0;

+	while ((ch = *src++) != '\0') {

+		const char *pch;

+

+		if ((pch = strchr(digits, ch)) != NULL) {

+			u_int new = *tp * 10 + (u_int)(pch - digits);

+

+			if (new > 255)

+				return (0);

+			*tp = (u_char)new;

+			if (! saw_digit) {

+				if (++octets > 4)

+					return (0);

+				saw_digit = 1;

+			}

+		} else if (ch == '.' && saw_digit) {

+			if (octets == 4)

+				return (0);

+			*++tp = 0;

+			saw_digit = 0;

+		} else

+			return (0);

+	}

+	if (octets < 4)

+		return (0);

+

+	memcpy(dst, tmp, NS_INADDRSZ);

+	return (1);

+}

+

+/* int

+ * inet_pton6(src, dst)

+ *	convert presentation level address to network order binary form.

+ * return:

+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.

+ * notice:

+ *	(1) does not touch `dst' unless it's returning 1.

+ *	(2) :: in a full address is silently ignored.

+ * credit:

+ *	inspired by Mark Andrews.

+ * author:

+ *	Paul Vixie, 1996.

+ */

+static int

+inet_pton6(

+	const char *src,

+	u_char *dst

+	)

+{

+	static const char xdigits_l[] = "0123456789abcdef",

+			  xdigits_u[] = "0123456789ABCDEF";

+	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;

+	const char *xdigits, *curtok;

+	int ch, saw_xdigit;

+	u_int val;

+

+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);

+	endp = tp + NS_IN6ADDRSZ;

+	colonp = NULL;

+	/* Leading :: requires some special handling. */

+	if (*src == ':')

+		if (*++src != ':')

+			return (0);

+	curtok = src;

+	saw_xdigit = 0;

+	val = 0;

+	while ((ch = *src++) != '\0') {

+		const char *pch;

+

+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)

+			pch = strchr((xdigits = xdigits_u), ch);

+		if (pch != NULL) {

+			val <<= 4;

+			val |= (pch - xdigits);

+			if (val > 0xffff)

+				return (0);

+			saw_xdigit = 1;

+			continue;

+		}

+		if (ch == ':') {

+			curtok = src;

+			if (!saw_xdigit) {

+				if (colonp)

+					return (0);

+				colonp = tp;

+				continue;

+			}

+			if (tp + NS_INT16SZ > endp)

+				return (0);

+			*tp++ = (u_char) (val >> 8) & 0xff;

+			*tp++ = (u_char) val & 0xff;

+			saw_xdigit = 0;

+			val = 0;

+			continue;

+		}

+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&

+		    inet_pton4(curtok, tp) > 0) {

+			tp += NS_INADDRSZ;

+			saw_xdigit = 0;

+			break;	/* '\0' was seen by inet_pton4(). */

+		}

+		return (0);

+	}

+	if (saw_xdigit) {

+		if (tp + NS_INT16SZ > endp)

+			return (0);

+		*tp++ = (u_char) (val >> 8) & 0xff;

+		*tp++ = (u_char) val & 0xff;

+	}

+	if (colonp != NULL) {

+		/*

+		 * Since some memmove()'s erroneously fail to handle

+		 * overlapping regions, we'll do the shift by hand.

+		 */

+		const int n = (int)(tp - colonp);

+		int i;

+

+		for (i = 1; i <= n; i++) {

+			endp[- i] = colonp[n - i];

+			colonp[n - i] = 0;

+		}

+		tp = endp;

+	}

+	if (tp != endp)

+		return (0);

+	memcpy(dst, tmp, NS_IN6ADDRSZ);

+	return (1);

+}

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h

index e603fad..5a20ba6 100644

--- a/CryptoPkg/Library/Include/CrtLibSupport.h

+++ b/CryptoPkg/Library/Include/CrtLibSupport.h

@@ -192,6 +192,7 @@ void           abort       (void) __attribute__((__noreturn__));

 #else

 void           abort       (void);

 #endif

+int            inet_pton   (int, const char *, void *);

 //

 // Macros that directly map functions to BaseLib, BaseMemoryLib, and DebugLib functions

-- 

1.8.3.1