From: Hongxu Jia <hongxu....@windriver.com> sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.
https://nvd.nist.gov/vuln/detail/CVE-2024-57259 Signed-off-by: Hongxu Jia <hongxu....@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../u-boot/files/CVE-2024-57259.patch | 41 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot-common.inc | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch new file mode 100644 index 0000000000..fdf5fdfce4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch @@ -0,0 +1,41 @@ +From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger <rich...@nod.at> +Date: Fri, 2 Aug 2024 22:05:09 +0200 +Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir() + +res needs to be large enough to store both strings rem and target, +plus the path separator and the terminator. +Currently the space for the path separator is not accounted, so +the heap is corrupted by one byte. + +Signed-off-by: Richard Weinberger <rich...@nod.at> +Reviewed-by: Miquel Raynal <miquel.ray...@bootlin.com> + +CVE: CVE-2024-57259 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e] +Signed-off-by: Hongxu Jia <hongxu....@windriver.com> +--- + fs/squashfs/sqfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index a5b7890e..1bd9b2a4 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + ret = -ENOMEM; + goto out; + } +- /* Concatenate remaining tokens and symlink's target */ +- res = malloc(strlen(rem) + strlen(target) + 1); ++ /* ++ * Concatenate remaining tokens and symlink's target. ++ * Allocate enough space for rem, target, '/' and '\0'. ++ */ ++ res = malloc(strlen(rem) + strlen(target) + 2); + if (!res) { + ret = -ENOMEM; + goto out; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index d3af17f82b..3a48b63c42 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -22,6 +22,7 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \ file://CVE-2024-57258-1.patch \ file://CVE-2024-57258-2.patch \ file://CVE-2024-57258-3.patch \ + file://CVE-2024-57259.patch \ " S = "${WORKDIR}/git" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211930): https://lists.openembedded.org/g/openembedded-core/message/211930 Mute This Topic: https://lists.openembedded.org/mt/111384946/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
