On Thu, Nov 14, 2024 at 12:18:49PM -0800, Tony Dinh wrote: > Hi Tom, > Hi Stefan, > > On Thu, Nov 14, 2024 at 8:33 AM Tom Rini <tr...@konsulko.com> wrote: > > > > On Thu, Nov 14, 2024 at 04:07:15PM +0100, Michal Simek wrote: > > > > > Hi, > > > > > > On 11/14/24 15:56, Tom Rini wrote: > > > > On Thu, Nov 14, 2024 at 04:02:29AM +0000, > > > > zdi-disclosu...@trendmicro.com wrote: > > > > > > > > > Hi, > > > > > Do you have any updates to share regarding this vulnerability report? > > > > > > > > Michal, microblaze-generic is the most active platform that enables > > > > FS_JFFS2 by default and so vulnerable here. Can you find some resources > > > > to look in to fixing this please? Thanks. > > > > > > We have actually discussed this recently and we have other issues with > > > jffs2 > > > and not going to fix it or recommend to use it. > > > JFFS2 should be removed from our configs and it is also not under our > > > regression. > > > > Ah OK, thanks. Adding a few more maintainers now then. > > Does this affect only boards that explicitly use CMD_JFFS2? how about > boards that have not been converted to bootstd and still use "nand > read" like this: > > include/configs/openrd.h > > #define CFG_EXTRA_ENV_SETTINGS "x_bootargs=console=ttyS0,115200 " \ > CONFIG_MTDPARTS_DEFAULT " rw ubi.mtd=2,2048\0" \ > "x_bootcmd_kernel=nand read 0x6400000 0x100000 0x300000\0" \
It's a problem for boards which read from JFFS2 in U-Boot, yes. So in the case of the kernel / etc being read from a raw location (or ubi or what-have-you), if FS_JFFS2 (or CMD_JFFS2, same list of platforms) is disabled the problem goes away. And if we're down to just a few lightly used platforms, we can just drop JFFS2 support. Thanks! -- Tom
signature.asc
Description: PGP signature
