Ubuntu Security Notice 5591-4 - It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5591-4September 02, 2022linux-aws vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systemsDetails:It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1140-aws     4.15.0-1140.151   linux-image-aws-lts-18.04       4.15.0.1140.140After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5591-4   https://ubuntu.com/security/notices/USN-5591-1   CVE-2021-33656Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1140.151

Ubuntu Security Notice USN-5591-4

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

CVE-2022-38752

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

it is not exception in java.base/java.util.regex.Pattern$Ques.match

It is java.lang.StackOverflowError because Java library fails parse a regular expression (the value is very big)

We may consider to restrict the length of the value which may match

CVE-2022-38751: Stackoverflow [OSS-Fuzz - 47039]

Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject.

Stacktrace and crashing input attached.

‌

CVE-2022-38750: Stackoverflow [OSS-Fuzz - 47027]

Issue #525 resolved

Andrey Somov created an issue 2022-04-26

_No description provided._

*   clusterfuzz-testcase-minimized-YamlFuzzer-4626423186325504

**Comments (3)**

1.  Andrey Somov reporter
    
    *   attached clusterfuzz-testcase-minimized-YamlFuzzer-4626423186325504
    
    *   2022-04-26T11:24:03+00:00
    
2.  Andrey Somov reporter
    
    *   changed status to open
    
    *   2022-04-28T09:33:54+00:00
    
3.  Andrey Somov reporter
    
    *   changed status to resolved
    
    it will be delivered in 1.31
    
    *   2022-04-29T07:40:39+00:00
    
4.  Log in to comment

Assignee

Andrey Somov

Type

bug

Priority

major

Status

resolved

Votes

0

Watchers

1

CVE-2022-38749: Got StackOverflowError for many open unmatched brackets

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact. This issue is different from CVE-2018-20230.

CVE-2022-39831

An issue was discovered in PSPP 1.6.2. There is a heap-based buffer overflow at the function read_string in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

CVE-2022-39832

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key, leading to a denial of service.

**NAME**

EVP\_EC\_gen, EC\_KEY\_get\_method, EC\_KEY\_set\_method, EC\_KEY\_new\_ex, EC\_KEY\_new, EC\_KEY\_get\_flags, EC\_KEY\_set\_flags, EC\_KEY\_clear\_flags, EC\_KEY\_new\_by\_curve\_name\_ex, EC\_KEY\_new\_by\_curve\_name, EC\_KEY\_free, EC\_KEY\_copy, EC\_KEY\_dup, EC\_KEY\_up\_ref, EC\_KEY\_get0\_engine, EC\_KEY\_get0\_group, EC\_KEY\_set\_group, EC\_KEY\_get0\_private\_key, EC\_KEY\_set\_private\_key, EC\_KEY\_get0\_public\_key, EC\_KEY\_set\_public\_key, EC\_KEY\_get\_conv\_form, EC\_KEY\_set\_conv\_form, EC\_KEY\_set\_asn1\_flag, EC\_KEY\_decoded\_from\_explicit\_params, EC\_KEY\_precompute\_mult, EC\_KEY\_generate\_key, EC\_KEY\_check\_key, EC\_KEY\_set\_public\_key\_affine\_coordinates, EC\_KEY\_oct2key, EC\_KEY\_key2buf, EC\_KEY\_oct2priv, EC\_KEY\_priv2oct, EC\_KEY\_priv2buf - Functions for creating, destroying and manipulating EC\_KEY objects

**SYNOPSIS**

    #include <openssl/ec.h>
    
    EVP_PKEY *EVP_EC_gen(const char *curve);

The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining **OPENSSL\_API\_COMPAT** with a suitable version value, see openssl\_user\_macros(7):

    EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
    EC_KEY *EC_KEY_new(void);
    int EC_KEY_get_flags(const EC_KEY *key);
    void EC_KEY_set_flags(EC_KEY *key, int flags);
    void EC_KEY_clear_flags(EC_KEY *key, int flags);
    EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
                                        int nid);
    EC_KEY *EC_KEY_new_by_curve_name(int nid);
    void EC_KEY_free(EC_KEY *key);
    EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
    EC_KEY *EC_KEY_dup(const EC_KEY *src);
    int EC_KEY_up_ref(EC_KEY *key);
    ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
    const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
    int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
    const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
    int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key);
    const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
    int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
    point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
    void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
    void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
    int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
    int EC_KEY_generate_key(EC_KEY *key);
    int EC_KEY_check_key(const EC_KEY *key);
    int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
    const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
    int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
    
    int EC_KEY_oct2key(EC_KEY *eckey, const unsigned char *buf, size_t len, BN_CTX *ctx);
    size_t EC_KEY_key2buf(const EC_KEY *eckey, point_conversion_form_t form,
                          unsigned char **pbuf, BN_CTX *ctx);
    
    int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
    size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len);
    
    size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
    int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);

**DESCRIPTION**

EVP\_EC\_gen() generates a new EC key pair on the given _curve_.

All of the functions described below are deprecated. Applications should instead use EVP\_EC\_gen(), EVP\_PKEY\_Q\_keygen(3), or EVP\_PKEY\_keygen\_init(3) and EVP\_PKEY\_keygen(3).

An EC\_KEY represents a public key and, optionally, the associated private key. A new EC\_KEY with no associated curve can be constructed by calling EC\_KEY\_new\_ex() and specifying the associated library context in _ctx_ (see OSSL\_LIB\_CTX(3)) and property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The reference count for the newly created EC\_KEY is initially set to 1. A curve can be associated with the EC\_KEY by calling EC\_KEY\_set\_group().

EC\_KEY\_new() is the same as EC\_KEY\_new\_ex() except that the default library context is always used.

Alternatively a new EC\_KEY can be constructed by calling EC\_KEY\_new\_by\_curve\_name\_ex() and supplying the nid of the associated curve, the library context to be used _ctx_ (see OSSL\_LIB\_CTX(3)) and any property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The _propq_ value may also be NULL. See EC\_GROUP\_new(3) for a description of curve names. This function simply wraps calls to EC\_KEY\_new\_ex() and EC\_GROUP\_new\_by\_curve\_name\_ex().

EC\_KEY\_new\_by\_curve\_name() is the same as EC\_KEY\_new\_by\_curve\_name\_ex() except that the default library context is always used and a NULL property query string.

Calling EC\_KEY\_free() decrements the reference count for the EC\_KEY object, and if it has dropped to zero then frees the memory associated with it. If _key_ is NULL nothing is done.

EC\_KEY\_copy() copies the contents of the EC\_KEY in _src_ into _dest_.

EC\_KEY\_dup() creates a new EC\_KEY object and copies _ec\_key_ into it.

EC\_KEY\_up\_ref() increments the reference count associated with the EC\_KEY object.

EC\_KEY\_get0\_engine() returns a handle to the ENGINE that has been set for this EC\_KEY object.

EC\_KEY\_generate\_key() generates a new public and private key for the supplied _eckey_ object. _eckey_ must have an EC\_GROUP object associated with it before calling this function. The private key is a random integer (0 < priv\_key < order, where _order_ is the order of the EC\_GROUP object). The public key is an EC\_POINT on the curve calculated by multiplying the generator for the curve by the private key.

EC\_KEY\_check\_key() performs various sanity checks on the EC\_KEY object to confirm that it is valid.

EC\_KEY\_set\_public\_key\_affine\_coordinates() sets the public key for _key_ based on its affine co-ordinates; i.e., it constructs an EC\_POINT object based on the supplied _x_ and _y_ values and sets the public key to be this EC\_POINT. It also performs certain sanity checks on the key to confirm that it is valid.

The functions EC\_KEY\_get0\_group(), EC\_KEY\_set\_group(), EC\_KEY\_get0\_private\_key(), EC\_KEY\_set\_private\_key(), EC\_KEY\_get0\_public\_key(), and EC\_KEY\_set\_public\_key() get and set the EC\_GROUP object, the private key, and the EC\_POINT public key for the **key** respectively. The function EC\_KEY\_set\_private\_key() accepts NULL as the priv\_key argument to securely clear the private key component from the EC\_KEY.

The functions EC\_KEY\_get\_conv\_form() and EC\_KEY\_set\_conv\_form() get and set the point\_conversion\_form for the _key_. For a description of point\_conversion\_forms please see EC\_POINT\_new(3).

EC\_KEY\_set\_flags() sets the flags in the _flags_ parameter on the EC\_KEY object. Any flags that are already set are left set. The flags currently defined are EC\_FLAG\_NON\_FIPS\_ALLOW and EC\_FLAG\_FIPS\_CHECKED. In addition there is the flag EC\_FLAG\_COFACTOR\_ECDH which is specific to ECDH. EC\_KEY\_get\_flags() returns the current flags that are set for this EC\_KEY. EC\_KEY\_clear\_flags() clears the flags indicated by the _flags_ parameter; all other flags are left in their existing state.

EC\_KEY\_set\_asn1\_flag() sets the asn1\_flag on the underlying EC\_GROUP object (if set). Refer to EC\_GROUP\_copy(3) for further information on the asn1\_flag.

EC\_KEY\_decoded\_from\_explicit\_params() returns 1 if the group of the _key_ was decoded from data with explicitly encoded group parameters, -1 if the _key_ is NULL or the group parameters are missing, and 0 otherwise.

EC\_KEY\_precompute\_mult() stores multiples of the underlying EC\_GROUP generator for faster point multiplication. See also EC\_POINT\_add(3). Modern versions should instead switch to named curves which OpenSSL has hardcoded lookup tables for.

EC\_KEY\_oct2key() and EC\_KEY\_key2buf() are identical to the functions EC\_POINT\_oct2point() and EC\_POINT\_point2buf() except they use the public key EC\_POINT in _eckey_.

EC\_KEY\_oct2priv() and EC\_KEY\_priv2oct() convert between the private key component of _eckey_ and octet form. The octet form consists of the content octets of the _privateKey_ OCTET STRING in an _ECPrivateKey_ ASN.1 structure.

The function EC\_KEY\_priv2oct() must be supplied with a buffer long enough to store the octet form. The return value provides the number of octets stored. Calling the function with a NULL buffer will not perform the conversion but will just return the required buffer length.

The function EC\_KEY\_priv2buf() allocates a buffer of suitable length and writes an EC\_KEY to it in octet format. The allocated buffer is written to _\*pbuf_ and its length is returned. The caller must free up the allocated buffer with a call to OPENSSL\_free(). Since the allocated buffer value is written to _\*pbuf_ the _pbuf_ parameter **MUST NOT** be **NULL**.

EC\_KEY\_priv2buf() converts an EC\_KEY private key into an allocated buffer.

**RETURN VALUES**

EC\_KEY\_new\_ex(), EC\_KEY\_new(), EC\_KEY\_new\_by\_curve\_name\_ex(), EC\_KEY\_new\_by\_curve\_name() and EC\_KEY\_dup() return a pointer to the newly created EC\_KEY object, or NULL on error.

EC\_KEY\_get\_flags() returns the flags associated with the EC\_KEY object as an integer.

EC\_KEY\_copy() returns a pointer to the destination key, or NULL on error.

EC\_KEY\_get0\_engine() returns a pointer to an ENGINE, or NULL if it wasn't set.

EC\_KEY\_up\_ref(), EC\_KEY\_set\_group(), EC\_KEY\_set\_public\_key(), EC\_KEY\_precompute\_mult(), EC\_KEY\_generate\_key(), EC\_KEY\_check\_key(), EC\_KEY\_set\_public\_key\_affine\_coordinates(), EC\_KEY\_oct2key() and EC\_KEY\_oct2priv() return 1 on success or 0 on error.

EC\_KEY\_set\_private\_key() returns 1 on success or 0 on error except when the priv\_key argument is NULL, in that case it returns 0, for legacy compatibility, and should not be treated as an error.

EC\_KEY\_get0\_group() returns the EC\_GROUP associated with the EC\_KEY.

EC\_KEY\_get0\_private\_key() returns the private key associated with the EC\_KEY.

EC\_KEY\_get\_conv\_form() return the point\_conversion\_form for the EC\_KEY.

EC\_KEY\_key2buf(), EC\_KEY\_priv2oct() and EC\_KEY\_priv2buf() return the length of the buffer or 0 on error.

**SEE ALSO**

EVP\_PKEY\_Q\_keygen(3) crypto(7), EC\_GROUP\_new(3), EC\_GROUP\_copy(3), EC\_POINT\_new(3), EC\_POINT\_add(3), EC\_GFp\_simple\_method(3), d2i\_ECPKParameters(3), OSSL\_LIB\_CTX(3)

**HISTORY**

EVP\_EC\_gen() was added in OpenSSL 3.0. All other functions described here were deprecated in OpenSSL 3.0. For replacement see EVP\_PKEY-EC(7).

**COPYRIGHT**

Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

CVE-2022-39828: /docs/manmaster/man3/EC_KEY_set_private_key.html

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.

/\*\* \* @file tools/fwinfogen.c \* @brief . \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include "config.h" //#include "version.h" /\* Pre-processor Definitions. \*/ #define BUILD\_MONTH\_IS\_JAN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_FEB (\_\_DATE\_\_\[0\] == 'F') #define BUILD\_MONTH\_IS\_MAR (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'r') #define BUILD\_MONTH\_IS\_APR (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'p') #define BUILD\_MONTH\_IS\_MAY (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'y') #define BUILD\_MONTH\_IS\_JUN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_JUL (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'l') #define BUILD\_MONTH\_IS\_AUG (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'u') #define BUILD\_MONTH\_IS\_SEP (\_\_DATE\_\_\[0\] == 'S') #define BUILD\_MONTH\_IS\_OCT (\_\_DATE\_\_\[0\] == 'O') #define BUILD\_MONTH\_IS\_NOV (\_\_DATE\_\_\[0\] == 'N') #define BUILD\_MONTH\_IS\_DEC (\_\_DATE\_\_\[0\] == 'D') #define BUILD\_MONTH \\ ( \\ (BUILD\_MONTH\_IS\_JAN) ? 1 : \\ (BUILD\_MONTH\_IS\_FEB) ? 2 : \\ (BUILD\_MONTH\_IS\_MAR) ? 3 : \\ (BUILD\_MONTH\_IS\_APR) ? 4 : \\ (BUILD\_MONTH\_IS\_MAY) ? 5 : \\ (BUILD\_MONTH\_IS\_JUN) ? 6 : \\ (BUILD\_MONTH\_IS\_JUL) ? 7 : \\ (BUILD\_MONTH\_IS\_AUG) ? 8 : \\ (BUILD\_MONTH\_IS\_SEP) ? 9 : \\ (BUILD\_MONTH\_IS\_OCT) ? 16 : \\ (BUILD\_MONTH\_IS\_NOV) ? 17 : \\ (BUILD\_MONTH\_IS\_DEC) ? 18 : \\ /\* error default \*/ 0 \\ ) #define BUILD\_DAY\_CH0 ((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') #define BUILD\_DAY\_CH1 (\_\_DATE\_\_\[ 5\]) #define DATE\_COMPILE (((\_\_DATE\_\_\[7\] - '0') << 28) \\ | (((unsigned int)(\_\_DATE\_\_\[8\] - '0')) << 24) \\ | (((unsigned int)(\_\_DATE\_\_\[9\] - '0')) << 20) \\ | (((unsigned int)(\_\_DATE\_\_\[10\] - '0')) << 16) \\ | (((unsigned int)(BUILD\_MONTH)) << 8) \\ | (((unsigned int)(((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') - '0')) << 4) \\ | (((unsigned int)\_\_DATE\_\_\[5\] - '0'))) #define BL33\_METADATA\_ADDRESS (0x10080000 - CONFIG\_START\_ADDRESS\_BL33 - 0x8000) /\*\* Instruction Code of "B ." \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC public key structure \*/ typedef struct { uint32\_t au32Key0\[8\]; /\* 256-bits \*/ uint32\_t au32Key1\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_PUBKEY\_T; /\*\* \* @details ECC ECDSA signature structure \*/ typedef struct { uint32\_t au32R\[8\]; /\* 256-bits \*/ uint32\_t au32S\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECDSA\_SIGN\_T; typedef struct { uint32\_t u32Start; /\* 32-bits \*/ uint32\_t u32Size; /\* 32-bits \*/ }\_\_attribute\_\_((packed)) FW\_REGION\_T; typedef struct { uint32\_t u32AuthCFGs; /\* 32-bits \*/ /\* bit\[1:0\]: Reserved bit\[2\]: 1: Info Hash includes PDID / 0: Not include PDID bit\[3\]: 1: Info Hash includes UID / 0: Not include UID bit\[4\]: 1: Info Hash inculdes UICD / 0: Not include UICD bit\[31:5\]: Reserved \*/ uint32\_t u32FwRegionLen; /\* 32-bits \*/ FW\_REGION\_T au32FwRegion\[1\]; /\* (8\*1) bytes \*/ uint32\_t u32ExtInfoLen; /\* 32-bits \*/ uint32\_t au32ExtInfo\[3\]; /\* 12-bytes \*/ }\_\_attribute\_\_((packed)) METADATA\_T; typedef struct { ECC\_PUBKEY\_T pubkey; /\* 64-bytes (256-bits + 256-bits) \*/ METADATA\_T mData; /\* includes authenticate configuration, F/W regions and extend info \*/ uint32\_t au32FwHash\[8\]; /\* 32-bytes (256-bits) \*/ ECDSA\_SIGN\_T sign; /\* 64-bytes (256-bits R + 256-bits S) \*/ }\_\_attribute\_\_((packed)) FW\_INFO\_T; /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ const char header\[\] = "\\n" "const uint32\_t g\_InitialFWinfo\[\] =\\n" "{\\n" " /\* public key - 64-bytes (256-bits + 256-bits) \*/\\n"; /\* Public Function Prototypes \*/ /\* Private Functions. \*/ void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } static int sign\_pFwInfo(FW\_INFO\_T \*pFwInfo, ECC\_KEY\_T \*ecdsa\_key) { int ret = -1; EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); goto exit; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1) { printf("Failed to set group for EC Key\\n"); goto exit; } memcpy((void \*) pFwInfo->pubkey.au32Key0, (void \*) ecdsa\_key->Qx, 32); memcpy((void \*) pFwInfo->pubkey.au32Key1, (void \*) ecdsa\_key->Qy, 32); BIGNUM\* x = BN\_bin2bn((void \*) ecdsa\_key->Qx, 32, NULL); BIGNUM\* y = BN\_bin2bn((void \*) ecdsa\_key->Qy, 32, NULL); BIGNUM\* d = BN\_bin2bn((void \*) ecdsa\_key->d, 32, NULL); EC\_KEY\_set\_private\_key(eckey, d); EC\_KEY\_set\_public\_key\_affine\_coordinates(eckey, x, y); uint32\_t au32HeadHash\[8\]; unsigned int u32Size = sizeof(FW\_INFO\_T) - sizeof(ECDSA\_SIGN\_T); sha256((unsigned char \*) pFwInfo, u32Size, (unsigned char \*) au32HeadHash); ECDSA\_SIG \*signature = ECDSA\_do\_sign((unsigned char \*) au32HeadHash, u32Size, eckey); if (NULL == signature) { printf("Failed to generate EC Signature\\n"); } else { if (ECDSA\_do\_verify((unsigned char \*) au32HeadHash, u32Size, signature, eckey) != 1) { printf("Failed to verify EC Signature\\n"); } else { BIGNUM \*r, \*s; #if OPENSSL\_VERSION\_NUMBER >= 0x10100000L ECDSA\_SIG\_get0(signature, &r, &s); #else r = signature->r; s = signature->s; #endif // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); // printf("R: %s\\n", BN\_bn2hex(r)); // printf("S: %s\\n", BN\_bn2hex(s)); BN\_bn2bin(r, (unsigned char \*) pFwInfo->sign.au32R); BN\_bn2bin(s, (unsigned char \*) pFwInfo->sign.au32S); BN\_free(x); BN\_free(y); BN\_free(d); BN\_free(r); BN\_free(s); } } ret = 0; exit: EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); return ret; } int getFileSize(const char \*filename) { int size = -1; FILE\* fd = fopen(filename, "rb"); if (!fd) { printf("Failed to open file: %s\\n",filename); return -1; } /\* Get file size \*/ if (fseek(fd, 0, SEEK\_END) != 0) { printf("Unable to get '%s' file size\\n", filename); goto exit; } size = ftell(fd); if (size < 0) { printf("Stream doesn't support '%s' file positioning\\n", filename); goto exit; } // rewind(fd); exit: fclose(fd); return size; } #ifdef CONFIG\_BOOTLOADER2 /\*\* \* @brief printFwInfo - . \* \* @param pFwInfo \[in/out\] A pointer to jar file name string. \* \* @returns 0 on success or error code on failure. \*/ void printFwInfo(FW\_INFO\_T \*pFwInfo) { printf("%s", header); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[0\], pFwInfo->pubkey.au32Key0\[1\], pFwInfo->pubkey.au32Key0\[2\], pFwInfo->pubkey.au32Key0\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[4\], pFwInfo->pubkey.au32Key0\[5\], pFwInfo->pubkey.au32Key0\[6\], pFwInfo->pubkey.au32Key0\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[0\], pFwInfo->pubkey.au32Key1\[1\], pFwInfo->pubkey.au32Key1\[2\], pFwInfo->pubkey.au32Key1\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[4\], pFwInfo->pubkey.au32Key1\[5\], pFwInfo->pubkey.au32Key1\[6\], pFwInfo->pubkey.au32Key1\[7\]); printf("\\n"); printf( " /\* metadata data - includes Mode selection, F/W region and Extend info \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x00020000: NuBL32 F/W base\\n", pFwInfo->mData.u32AuthCFGs, pFwInfo->mData.u32FwRegionLen, pFwInfo->mData.au32FwRegion\[0\].u32Start, pFwInfo->mData.au32FwRegion\[0\].u32Size); printf( " 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x20180824/0x00001111/0x22223333: Extend info\\n", pFwInfo->mData.u32ExtInfoLen, pFwInfo->mData.au32ExtInfo\[0\], pFwInfo->mData.au32ExtInfo\[1\], pFwInfo->mData.au32ExtInfo\[2\]); printf("\\n"); printf(" /\* FW hash - 32-bytes (256-bits) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[0\], pFwInfo->au32FwHash\[1\], pFwInfo->au32FwHash\[2\], pFwInfo->au32FwHash\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[4\], pFwInfo->au32FwHash\[5\], pFwInfo->au32FwHash\[6\], pFwInfo->au32FwHash\[7\]); printf("\\n"); printf(" /\* FwInfo signature - 64-bytes (256-bits R + 256-bits S) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[0\], pFwInfo->sign.au32R\[1\], pFwInfo->sign.au32R\[2\], pFwInfo->sign.au32R\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[4\], pFwInfo->sign.au32R\[5\], pFwInfo->sign.au32R\[6\], pFwInfo->sign.au32R\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[0\], pFwInfo->sign.au32S\[1\], pFwInfo->sign.au32S\[2\], pFwInfo->sign.au32S\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[4\], pFwInfo->sign.au32S\[5\], pFwInfo->sign.au32S\[6\], pFwInfo->sign.au32S\[7\]); printf("};\\n"); } #endif /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char\*\* argv) { unsigned char \*buf = NULL; int ret = -1; FILE\* fd; int img\_size = 0; #ifdef CONFIG\_BOOTLOADER2 ECC\_KEY\_T ecdsa\_key; FW\_INFO\_T pFwInfo; pFwInfo.mData.u32AuthCFGs = 0x00000001; pFwInfo.mData.u32FwRegionLen = 0x00000008; pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL32; pFwInfo.mData.au32FwRegion\[0\].u32Size = 0x00000000; pFwInfo.mData.u32ExtInfoLen = 0x0000000c; pFwInfo.mData.au32ExtInfo\[0\] = DATE\_COMPILE; pFwInfo.mData.au32ExtInfo\[1\] = 0x00001111; pFwInfo.mData.au32ExtInfo\[2\] = 0x22223333; #endif if (argc != 7) { printf("Not enough input parameters for %s\\n", argv\[0\]); return -1; } buf = malloc(1024 \* 256); if (buf == NULL) { printf("Allocation memory error\\n"); goto exit; } memset((void \*) buf, 0, 1024 \* 256); //////////////////////////////////////////////////////////////// // mtower\_s.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER2 int32\_t size\_bl2; if((size\_bl2 = getFileSize(argv\[1\])) < 0) { return -1; } fd = fopen(argv\[1\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[1\]); return -1; } if (fread(buf, 1, (size\_t) size\_bl2, fd) != (size\_t) size\_bl2) { free(buf); goto exit; } fclose(fd); #endif #ifdef CONFIG\_BOOTLOADER32 int32\_t size\_bl32; if((size\_bl32 = getFileSize(argv\[2\])) < 0) { return -1; } fd = fopen(argv\[2\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[2\]); goto exit; } if (fread(buf + CONFIG\_START\_ADDRESS\_BL32, 1, (size\_t) size\_bl32, fd) != (size\_t) size\_bl32) { free(buf); goto exit; } fclose(fd); img\_size = size\_bl32; #endif #ifdef CONFIG\_BOOTLOADER2 sha256(buf + CONFIG\_START\_ADDRESS\_BL32, size\_bl32, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl32; fd = fopen(argv\[4\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[4\]); goto exit; } if (fread((unsigned char \*) &ecdsa\_key, sizeof(char), sizeof(ECC\_KEY\_T), fd) != sizeof(ECC\_KEY\_T)) { return -1; } fclose(fd); sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + 0x00038000, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = 0x00038000 + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[3\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[3\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { free(buf); goto exit; } #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tSecure firmware info\\n"); printFwInfo(&pFwInfo); #endif //////////////////////////////////////////////////////////////// // mtower\_ns.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER33 memset((void \*) buf, 0, 1024 \* 256); int32\_t size\_bl33; if((size\_bl33 = getFileSize(argv\[5\])) < 0) { return -1; } fd = fopen(argv\[5\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[5\]); goto exit; } if (fread(buf, 1, (size\_t) size\_bl33, fd) != (size\_t) size\_bl33) { goto exit; } fclose(fd); img\_size = size\_bl33; #ifdef CONFIG\_BOOTLOADER2 sha256(buf, size\_bl33, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL33; pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl33; sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + BL33\_METADATA\_ADDRESS, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = BL33\_METADATA\_ADDRESS + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[6\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[6\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { goto exit; } #endif ret = 0; exit: free(buf); fclose(fd); #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tNon-secure firmware info\\n"); printFwInfo(&pFwInfo); #endif return ret; }

CVE-2022-39830: mTower/fwinfogen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.

**Appsmith-Server-Side-Js-Injection-POC****Vuln Detail**

*   Vulnerability type: Server side js injection
    
*   Affected product: Appsmith
    
*   Affected version: v1.7.14 and below
    

When the application calls the 'currentItem' property of the list widget in the js code, the js injection is caused by not handling the list data properly. An attacker can use this to inject and execute malicious JavaScript code on the server, e.g. to perform dos attacks.

In fact, when the list data contains a semicolon, an error is reported: "UncaughtPromiseRejection: missing ) after argument list", which means that the list component is not handling the data properly and is splicing the list data directly into the js code.

When the list data is user-controllable and 'currentItem' is called in the js code, js injection has occurred.

I have made a simple demo application:

*   live demo: https://app.appsmith.com/app/my-first-application/page1-630ebec37e1d9179c33a1950
*   demo application: demo\_application/My first application.json

You can reproduce the vulnerability in this way.

1.  enter poc in any input component on the right
2.  click on the button of the first item in the list on the left

**POC**

poc - Denial of Service Attack: '+ (function(){while(1){}})() +'

poc - Information Leak: '+ console.log(appsmith.store) +'

Tag

#dos