From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120])
 by mx.groups.io with SMTP id smtpd.web09.2199.1572068262087856223
 for <devel@edk2.groups.io>;
 Fri, 25 Oct 2019 22:37:42 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hTBdlgqt;
 spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1572068261;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=dAeqvsqI6MTpgD/q5WS8rsFoLqPpraWyLhqQvqyp4lU=;
	b=hTBdlgqtplqqFd3WWneXG926vcugrMkAueuumCevvEI7Qp9WG7uXi4i0oT3JLsiq6qcpU0
	tdbwZnDKC5Ek88EEWVqU2JDfVawUxOwiD4ZaM4xXROodIA+zCJfydyhnWUBdipBWjOJ1pn
	oLHOstXZvlnvpoD1itw8Lr3nClHmdzA=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-52-HoxUMb5NM9mVWI5UAgA4Vw-1; Sat, 26 Oct 2019 01:37:37 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4FAA6800D4C;
	Sat, 26 Oct 2019 05:37:36 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-26.ams2.redhat.com [10.36.116.26])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7F1B95D9CA;
	Sat, 26 Oct 2019 05:37:34 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: David Woodhouse <dwmw2@infradead.org>,
	Jian J Wang <jian.j.wang@intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>,
	Sivaraman Nainar <sivaramann@amiindia.co.in>,
	Xiaoyu Lu <xiaoyux.lu@intel.com>
Subject: [PATCH v2 5/8] CryptoPkg/Crt: import "inet_pton.c" (CVE-2019-14553)
Date: Sat, 26 Oct 2019 07:37:16 +0200
Message-Id: <20191026053719.10453-6-lersek@redhat.com>
In-Reply-To: <20191026053719.10453-1-lersek@redhat.com>
References: <20191026053719.10453-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-MC-Unique: HoxUMb5NM9mVWI5UAgA4Vw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

For TianoCore BZ#1734, StdLib has been moved from the edk2 project to the
edk2-libc project, in commit 964f432b9b0a ("edk2: Remove AppPkg, StdLib,
StdLibPrivateInternalFiles", 2019-04-29).

We'd like to use the inet_pton() function in CryptoPkg. Resurrect the
"inet_pton.c" file from just before the StdLib removal, as follows:

  $ git show \
      964f432b9b0a^:StdLib/BsdSocketLib/inet_pton.c \
      > CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c

The inet_pton() function is only intended for the DXE phase at this time,
therefore only the "BaseCryptLib" instance INF file receives the new file.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D960
CVE: CVE-2019-14553
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    v2:
    - new patch

 CryptoPkg/Library/Include/CrtLibSupport.h          |   1 +
 CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   1 +
 CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c | 257 +++++++++++++++++=
+++
 3 files changed, 259 insertions(+)

diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/=
Include/CrtLibSupport.h
index e603fad763f9..5a20ba636fff 100644
--- a/CryptoPkg/Library/Include/CrtLibSupport.h
+++ b/CryptoPkg/Library/Include/CrtLibSupport.h
@@ -191,8 +191,9 @@ char           *secure_getenv (const char *);
 void           abort       (void) __attribute__((__noreturn__));
 #else
 void           abort       (void);
 #endif
+int            inet_pton   (int, const char *, void *);
=20
 //
 // Macros that directly map functions to BaseLib, BaseMemoryLib, and Debug=
Lib functions
 //
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Li=
brary/BaseCryptLib/BaseCryptLib.inf
index a98be2cd9590..dc9e6e5d45f9 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -57,8 +57,9 @@ [Sources]
=20
   SysCall/CrtWrapper.c
   SysCall/TimerWrapper.c
   SysCall/BaseMemAllocation.c
+  SysCall/inet_pton.c
=20
 [Sources.Ia32]
   Rand/CryptRandTsc.c
=20
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c b/CryptoPkg=
/Library/BaseCryptLib/SysCall/inet_pton.c
new file mode 100644
index 000000000000..32e1ab8690e6
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/inet_pton.c
@@ -0,0 +1,257 @@
+/* Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCL=
AIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRA=
NTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIA=
L
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF =
THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 1999, 2000
+ * Intel Corporation.
+ * All rights reserved.
+ *=20
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *=20
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *=20
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *=20
+ * 3. All advertising materials mentioning features or use of this softwar=
e
+ *    must display the following acknowledgement:
+ *=20
+ *    This product includes software developed by Intel Corporation and
+ *    its contributors.
+ *=20
+ * 4. Neither the name of Intel Corporation or its contributors may be
+ *    used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *=20
+ * THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS=
''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, T=
HE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURP=
OSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINES=
S
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ *=20
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] =3D "$Id: inet_pton.c,v 1.1.1.1 2003/11/19 01:51:30 ky=
u3 Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <string.h>
+#include <errno.h>
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int=09inet_pton4 (const char *src, u_char *dst);
+static int=09inet_pton6 (const char *src, u_char *dst);
+
+/* int
+ * inet_pton(af, src, dst)
+ *=09convert from presentation format (which usually means ASCII printable=
)
+ *=09to network format (which is usually some kind of binary format).
+ * return:
+ *=091 if the address was valid for the specified address family
+ *=090 if the address wasn't valid (`dst' is untouched in this case)
+ *=09-1 if some other error occurred (`dst' is untouched in this case, too=
)
+ * author:
+ *=09Paul Vixie, 1996.
+ */
+int
+inet_pton(
+=09int af,
+=09const char *src,
+=09void *dst
+=09)
+{
+=09switch (af) {
+=09case AF_INET:
+=09=09return (inet_pton4(src, dst));
+=09case AF_INET6:
+=09=09return (inet_pton6(src, dst));
+=09default:
+=09=09errno =3D EAFNOSUPPORT;
+=09=09return (-1);
+=09}
+=09/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *=09like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *=091 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *=09does not touch `dst' unless it's returning 1.
+ * author:
+ *=09Paul Vixie, 1996.
+ */
+static int
+inet_pton4(
+=09const char *src,
+=09u_char *dst
+=09)
+{
+=09static const char digits[] =3D "0123456789";
+=09int saw_digit, octets, ch;
+=09u_char tmp[NS_INADDRSZ], *tp;
+
+=09saw_digit =3D 0;
+=09octets =3D 0;
+=09*(tp =3D tmp) =3D 0;
+=09while ((ch =3D *src++) !=3D '\0') {
+=09=09const char *pch;
+
+=09=09if ((pch =3D strchr(digits, ch)) !=3D NULL) {
+=09=09=09u_int new =3D *tp * 10 + (u_int)(pch - digits);
+
+=09=09=09if (new > 255)
+=09=09=09=09return (0);
+=09=09=09*tp =3D (u_char)new;
+=09=09=09if (! saw_digit) {
+=09=09=09=09if (++octets > 4)
+=09=09=09=09=09return (0);
+=09=09=09=09saw_digit =3D 1;
+=09=09=09}
+=09=09} else if (ch =3D=3D '.' && saw_digit) {
+=09=09=09if (octets =3D=3D 4)
+=09=09=09=09return (0);
+=09=09=09*++tp =3D 0;
+=09=09=09saw_digit =3D 0;
+=09=09} else
+=09=09=09return (0);
+=09}
+=09if (octets < 4)
+=09=09return (0);
+
+=09memcpy(dst, tmp, NS_INADDRSZ);
+=09return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *=09convert presentation level address to network order binary form.
+ * return:
+ *=091 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *=09(1) does not touch `dst' unless it's returning 1.
+ *=09(2) :: in a full address is silently ignored.
+ * credit:
+ *=09inspired by Mark Andrews.
+ * author:
+ *=09Paul Vixie, 1996.
+ */
+static int
+inet_pton6(
+=09const char *src,
+=09u_char *dst
+=09)
+{
+=09static const char xdigits_l[] =3D "0123456789abcdef",
+=09=09=09  xdigits_u[] =3D "0123456789ABCDEF";
+=09u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+=09const char *xdigits, *curtok;
+=09int ch, saw_xdigit;
+=09u_int val;
+
+=09memset((tp =3D tmp), '\0', NS_IN6ADDRSZ);
+=09endp =3D tp + NS_IN6ADDRSZ;
+=09colonp =3D NULL;
+=09/* Leading :: requires some special handling. */
+=09if (*src =3D=3D ':')
+=09=09if (*++src !=3D ':')
+=09=09=09return (0);
+=09curtok =3D src;
+=09saw_xdigit =3D 0;
+=09val =3D 0;
+=09while ((ch =3D *src++) !=3D '\0') {
+=09=09const char *pch;
+
+=09=09if ((pch =3D strchr((xdigits =3D xdigits_l), ch)) =3D=3D NULL)
+=09=09=09pch =3D strchr((xdigits =3D xdigits_u), ch);
+=09=09if (pch !=3D NULL) {
+=09=09=09val <<=3D 4;
+=09=09=09val |=3D (pch - xdigits);
+=09=09=09if (val > 0xffff)
+=09=09=09=09return (0);
+=09=09=09saw_xdigit =3D 1;
+=09=09=09continue;
+=09=09}
+=09=09if (ch =3D=3D ':') {
+=09=09=09curtok =3D src;
+=09=09=09if (!saw_xdigit) {
+=09=09=09=09if (colonp)
+=09=09=09=09=09return (0);
+=09=09=09=09colonp =3D tp;
+=09=09=09=09continue;
+=09=09=09}
+=09=09=09if (tp + NS_INT16SZ > endp)
+=09=09=09=09return (0);
+=09=09=09*tp++ =3D (u_char) (val >> 8) & 0xff;
+=09=09=09*tp++ =3D (u_char) val & 0xff;
+=09=09=09saw_xdigit =3D 0;
+=09=09=09val =3D 0;
+=09=09=09continue;
+=09=09}
+=09=09if (ch =3D=3D '.' && ((tp + NS_INADDRSZ) <=3D endp) &&
+=09=09    inet_pton4(curtok, tp) > 0) {
+=09=09=09tp +=3D NS_INADDRSZ;
+=09=09=09saw_xdigit =3D 0;
+=09=09=09break;=09/* '\0' was seen by inet_pton4(). */
+=09=09}
+=09=09return (0);
+=09}
+=09if (saw_xdigit) {
+=09=09if (tp + NS_INT16SZ > endp)
+=09=09=09return (0);
+=09=09*tp++ =3D (u_char) (val >> 8) & 0xff;
+=09=09*tp++ =3D (u_char) val & 0xff;
+=09}
+=09if (colonp !=3D NULL) {
+=09=09/*
+=09=09 * Since some memmove()'s erroneously fail to handle
+=09=09 * overlapping regions, we'll do the shift by hand.
+=09=09 */
+=09=09const int n =3D (int)(tp - colonp);
+=09=09int i;
+
+=09=09for (i =3D 1; i <=3D n; i++) {
+=09=09=09endp[- i] =3D colonp[n - i];
+=09=09=09colonp[n - i] =3D 0;
+=09=09}
+=09=09tp =3D endp;
+=09}
+=09if (tp !=3D endp)
+=09=09return (0);
+=09memcpy(dst, tmp, NS_IN6ADDRSZ);
+=09return (1);
+}
--=20
2.19.1.3.g30247aa5d201