From patchwork Wed Feb 19 08:06:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57585 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3827C021AB for ; Wed, 19 Feb 2025 08:06:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17370.1739952379035155921 for ; Wed, 19 Feb 2025 00:06:19 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5h4ix011199 for ; Wed, 19 Feb 2025 08:06:18 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8pk9-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:17 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:16 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:15 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 1/6] u-boot: fix CVE-2024-57254 Date: Wed, 19 Feb 2025 16:06:09 +0800 Message-ID: <20250219080614.902786-1-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Proofpoint-GUID: qhtyqOCY7N8bfa9JAlFHBugSfCY0HvNj X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b590f9 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=P-IC7800AAAA:8 a=TPJKs4zHcULvXnfe0SAA:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 a=d3PnA9EDa4IxuAV0gXij:22 X-Proofpoint-ORIG-GUID: qhtyqOCY7N8bfa9JAlFHBugSfCY0HvNj X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=965 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211673 An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://nvd.nist.gov/vuln/detail/CVE-2024-57254 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57254.patch | 47 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch new file mode 100644 index 0000000000..be00121224 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch @@ -0,0 +1,47 @@ +From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 18:36:45 +0200 +Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size() + +A carefully crafted squashfs filesystem can exhibit an extremly large +inode size and overflow the calculation in sqfs_inode_size(). +As a consequence, the squashfs driver will read from wrong locations. + +Fix by using __builtin_add_overflow() to detect the overflow. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57254 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs_inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c +index d25cfb53..bb3ccd37 100644 +--- a/fs/squashfs/sqfs_inode.c ++++ b/fs/squashfs/sqfs_inode.c +@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) + + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: { ++ int size; ++ + struct squashfs_symlink_inode *symlink = + (struct squashfs_symlink_inode *)inode; + +- return sizeof(*symlink) + +- get_unaligned_le32(&symlink->symlink_size); ++ if (__builtin_add_overflow(sizeof(*symlink), ++ get_unaligned_le32(&symlink->symlink_size), &size)) ++ return -EINVAL; ++ ++ return size; + } + + case SQFS_BLKDEV_TYPE: +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 62ebe40cb6..d9c6fcb993 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-30790.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ + file://CVE-2024-57254.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native"