From: Hongxu Jia <hongxu....@windriver.com> An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem.
https://nvd.nist.gov/vuln/detail/CVE-2024-57254 Signed-off-by: Hongxu Jia <hongxu....@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../u-boot/files/CVE-2024-57254.patch | 47 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch new file mode 100644 index 0000000000..be00121224 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch @@ -0,0 +1,47 @@ +From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger <rich...@nod.at> +Date: Fri, 2 Aug 2024 18:36:45 +0200 +Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size() + +A carefully crafted squashfs filesystem can exhibit an extremly large +inode size and overflow the calculation in sqfs_inode_size(). +As a consequence, the squashfs driver will read from wrong locations. + +Fix by using __builtin_add_overflow() to detect the overflow. + +Signed-off-by: Richard Weinberger <rich...@nod.at> +Reviewed-by: Miquel Raynal <miquel.ray...@bootlin.com> + +CVE: CVE-2024-57254 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d] +Signed-off-by: Hongxu Jia <hongxu....@windriver.com> +--- + fs/squashfs/sqfs_inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c +index d25cfb53..bb3ccd37 100644 +--- a/fs/squashfs/sqfs_inode.c ++++ b/fs/squashfs/sqfs_inode.c +@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) + + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: { ++ int size; ++ + struct squashfs_symlink_inode *symlink = + (struct squashfs_symlink_inode *)inode; + +- return sizeof(*symlink) + +- get_unaligned_le32(&symlink->symlink_size); ++ if (__builtin_add_overflow(sizeof(*symlink), ++ get_unaligned_le32(&symlink->symlink_size), &size)) ++ return -EINVAL; ++ ++ return size; + } + + case SQFS_BLKDEV_TYPE: +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 62ebe40cb6..d9c6fcb993 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-30790.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ + file://CVE-2024-57254.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211888): https://lists.openembedded.org/g/openembedded-core/message/211888 Mute This Topic: https://lists.openembedded.org/mt/111377446/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
