From patchwork Wed Feb 19 08:06:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57585 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3827C021AB for ; Wed, 19 Feb 2025 08:06:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17370.1739952379035155921 for ; Wed, 19 Feb 2025 00:06:19 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5h4ix011199 for ; Wed, 19 Feb 2025 08:06:18 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8pk9-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:17 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:16 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:15 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 1/6] u-boot: fix CVE-2024-57254 Date: Wed, 19 Feb 2025 16:06:09 +0800 Message-ID: <20250219080614.902786-1-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Proofpoint-GUID: qhtyqOCY7N8bfa9JAlFHBugSfCY0HvNj X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b590f9 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=P-IC7800AAAA:8 a=TPJKs4zHcULvXnfe0SAA:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 a=d3PnA9EDa4IxuAV0gXij:22 X-Proofpoint-ORIG-GUID: qhtyqOCY7N8bfa9JAlFHBugSfCY0HvNj X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=965 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211673 An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://nvd.nist.gov/vuln/detail/CVE-2024-57254 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57254.patch | 47 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch new file mode 100644 index 0000000000..be00121224 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch @@ -0,0 +1,47 @@ +From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 18:36:45 +0200 +Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size() + +A carefully crafted squashfs filesystem can exhibit an extremly large +inode size and overflow the calculation in sqfs_inode_size(). +As a consequence, the squashfs driver will read from wrong locations. + +Fix by using __builtin_add_overflow() to detect the overflow. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57254 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs_inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c +index d25cfb53..bb3ccd37 100644 +--- a/fs/squashfs/sqfs_inode.c ++++ b/fs/squashfs/sqfs_inode.c +@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) + + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: { ++ int size; ++ + struct squashfs_symlink_inode *symlink = + (struct squashfs_symlink_inode *)inode; + +- return sizeof(*symlink) + +- get_unaligned_le32(&symlink->symlink_size); ++ if (__builtin_add_overflow(sizeof(*symlink), ++ get_unaligned_le32(&symlink->symlink_size), &size)) ++ return -EINVAL; ++ ++ return size; + } + + case SQFS_BLKDEV_TYPE: +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 62ebe40cb6..d9c6fcb993 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-30790.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ + file://CVE-2024-57254.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Wed Feb 19 08:06:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57584 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2A46C021AA for ; Wed, 19 Feb 2025 08:06:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17371.1739952379428114531 for ; Wed, 19 Feb 2025 00:06:19 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5h4j0011199 for ; Wed, 19 Feb 2025 08:06:18 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8pk9-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:18 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:17 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:16 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 2/6] u-boot: fix CVE-2024-57255 Date: Wed, 19 Feb 2025 16:06:10 +0800 Message-ID: <20250219080614.902786-2-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250219080614.902786-1-hongxu.jia@windriver.com> References: <20250219080614.902786-1-hongxu.jia@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: UwzRdO7ar3tKtDJDlzeaxWa3o60bU9HM X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b590fa cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=P-IC7800AAAA:8 a=a0NpaTvsPSIvdQCIlX4A:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 a=d3PnA9EDa4IxuAV0gXij:22 X-Proofpoint-ORIG-GUID: UwzRdO7ar3tKtDJDlzeaxWa3o60bU9HM X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211674 An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57255 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57255.patch | 53 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch new file mode 100644 index 0000000000..4ca72da554 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch @@ -0,0 +1,53 @@ +From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 18:36:44 +0200 +Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink() + +A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, +as a consequence malloc() will do a zero allocation. +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57255 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 1430e671..16a07c06 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + char *resolved, *target; + u32 sz; + +- sz = get_unaligned_le32(&sym->symlink_size); +- target = malloc(sz + 1); ++ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) ++ return NULL; ++ ++ target = malloc(sz); + if (!target) + return NULL; + +@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + * There is no trailling null byte in the symlink's target path, so a + * copy is made and a '\0' is added at its end. + */ +- target[sz] = '\0'; ++ target[sz - 1] = '\0'; + /* Get target name (relative path) */ +- strncpy(target, sym->symlink, sz); ++ strncpy(target, sym->symlink, sz - 1); + + /* Relative -> absolute path conversion */ + resolved = sqfs_get_abs_path(base_path, target); +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index d9c6fcb993..cfe36256f3 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -12,6 +12,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ file://CVE-2024-57254.patch \ + file://CVE-2024-57255.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Wed Feb 19 08:06:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57586 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BBA42C021B1 for ; Wed, 19 Feb 2025 08:06:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.17621.1739952379977709324 for ; Wed, 19 Feb 2025 00:06:20 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5h4j1011199 for ; Wed, 19 Feb 2025 08:06:19 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8pk9-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:19 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:18 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:17 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 3/6] u-boot: fix CVE-2024-57256 Date: Wed, 19 Feb 2025 16:06:11 +0800 Message-ID: <20250219080614.902786-3-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250219080614.902786-1-hongxu.jia@windriver.com> References: <20250219080614.902786-1-hongxu.jia@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: 8DNynoSo0oJeBJk-UweG33VELlae1pla X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b590fb cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=r4y7CP4eWtFlPBpMJRAA:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: 8DNynoSo0oJeBJk-UweG33VELlae1pla X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=993 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211675 An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57256 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57256.patch | 51 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch new file mode 100644 index 0000000000..78cf4ac225 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch @@ -0,0 +1,51 @@ +From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 9 Aug 2024 11:54:28 +0200 +Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink() + +While zalloc() takes a size_t type, adding 1 to the le32 variable +will overflow. +A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff +and as consequence zalloc() will do a zero allocation. + +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. + +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger + +CVE: CVE-2024-57256 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9] +Signed-off-by: Hongxu Jia +--- + fs/ext4/ext4_common.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c +index f50de7c0..a7798296 100644 +--- a/fs/ext4/ext4_common.c ++++ b/fs/ext4/ext4_common.c +@@ -2188,13 +2188,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node) + struct ext2fs_node *diro = node; + int status; + loff_t actread; ++ size_t alloc_size; + + if (!diro->inode_read) { + status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode); + if (status == 0) + return NULL; + } +- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1); ++ ++ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size)) ++ return NULL; ++ ++ symlink = zalloc(alloc_size); + if (!symlink) + return NULL; + +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index cfe36256f3..c643fb35f3 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -13,6 +13,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-2347_2.patch \ file://CVE-2024-57254.patch \ file://CVE-2024-57255.patch \ + file://CVE-2024-57256.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Wed Feb 19 08:06:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57587 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB655C021B0 for ; Wed, 19 Feb 2025 08:06:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.17622.1739952380522064787 for ; Wed, 19 Feb 2025 00:06:20 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5h4j2011199 for ; Wed, 19 Feb 2025 08:06:19 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8pk9-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:19 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:19 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:18 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 4/6] u-boot: fix CVE-2024-57257 Date: Wed, 19 Feb 2025 16:06:12 +0800 Message-ID: <20250219080614.902786-4-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250219080614.902786-1-hongxu.jia@windriver.com> References: <20250219080614.902786-1-hongxu.jia@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: vntXvvhSHJ59nIhq7_Ff5izJiLUzONne X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b590fb cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=P-IC7800AAAA:8 a=f3mU4yBjuhGa3ZgnF9gA:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 a=d3PnA9EDa4IxuAV0gXij:22 X-Proofpoint-ORIG-GUID: vntXvvhSHJ59nIhq7_Ff5izJiLUzONne X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211676 A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting. https://nvd.nist.gov/vuln/detail/CVE-2024-57257 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57257.patch | 228 ++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch new file mode 100644 index 0000000000..5b6cbb8cad --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch @@ -0,0 +1,228 @@ +From 790a2005e7a44dba059f5dbf1b9eff3a13e9b5e7 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Wed, 19 Feb 2025 15:51:53 +0800 +Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving + +The squashfs driver blindly follows symlinks, and calls sqfs_size() +recursively. So an attacker can create a crafted filesystem and with +a deep enough nesting level a stack overflow can be achieved. + +Fix by limiting the nesting level to 8. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57257 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34] + +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 61 insertions(+), 15 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 7f2af8e1f9..09c0911689 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -24,7 +24,12 @@ + #include "sqfs_filesystem.h" + #include "sqfs_utils.h" + ++#define MAX_SYMLINK_NEST 8 ++ + static struct squashfs_ctxt ctxt; ++static int symlinknest; ++ ++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp); + + static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf) + { +@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + goto out; + } + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, token_list[j]); + if (!ret) + break; +@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + + /* Check for symbolic link and inode type sanity */ + if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) { ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ ret = -ELOOP; ++ goto out; ++ } ++ + sym = (struct squashfs_symlink_inode *)table; + /* Get first j + 1 tokens */ + path = sqfs_concat_tokens(token_list, j + 1); +@@ -872,7 +882,7 @@ out: + return metablks_count; + } + +-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp) ++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp) + { + unsigned char *inode_table = NULL, *dir_table = NULL; + int j, token_count = 0, ret = 0, metablks_count; +@@ -967,7 +977,19 @@ out: + return ret; + } + ++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp) ++{ ++ symlinknest = 0; ++ return sqfs_opendir_nest(filename, dirsp); ++} ++ + int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) ++{ ++ symlinknest = 0; ++ return sqfs_readdir_nest(fs_dirs, dentp); ++} ++ ++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + { + struct squashfs_super_block *sblk = ctxt.sblk; + struct squashfs_dir_stream *dirs; +@@ -1311,8 +1333,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg, + return datablk_count; + } + +-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, +- loff_t *actread) ++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset, ++ loff_t len, loff_t *actread) + { + char *dir = NULL, *fragment_block, *datablock = NULL, *data_buffer = NULL; + char *fragment = NULL, *file = NULL, *resolved, *data; +@@ -1342,11 +1364,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + } + + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ + sqfs_split_path(&file, &dir, filename); +- ret = sqfs_opendir(dir, &dirsp); ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + goto out; + } +@@ -1354,7 +1376,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + dirs = (struct squashfs_dir_stream *)dirsp; + + /* For now, only regular files are able to be loaded */ +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1403,9 +1425,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + break; + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ ret = -ELOOP; ++ goto out; ++ } ++ + symlink = (struct squashfs_symlink_inode *)ipos; + resolved = sqfs_resolve_symlink(symlink, filename); +- ret = sqfs_read(resolved, buf, offset, len, actread); ++ ret = sqfs_read_nest(resolved, buf, offset, len, actread); + free(resolved); + goto out; + case SQFS_BLKDEV_TYPE: +@@ -1579,7 +1606,14 @@ out: + return ret; + } + +-int sqfs_size(const char *filename, loff_t *size) ++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, ++ loff_t *actread) ++{ ++ symlinknest = 0; ++ return sqfs_read_nest(filename, buf, offset, len, actread); ++} ++ ++static int sqfs_size_nest(const char *filename, loff_t *size) + { + struct squashfs_super_block *sblk = ctxt.sblk; + struct squashfs_symlink_inode *symlink; +@@ -1595,10 +1629,10 @@ int sqfs_size(const char *filename, loff_t *size) + + sqfs_split_path(&file, &dir, filename); + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ +- ret = sqfs_opendir(dir, &dirsp); ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + ret = -EINVAL; + goto free_strings; +@@ -1606,7 +1640,7 @@ int sqfs_size(const char *filename, loff_t *size) + + dirs = (struct squashfs_dir_stream *)dirsp; + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1639,6 +1673,11 @@ int sqfs_size(const char *filename, loff_t *size) + break; + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ *size = 0; ++ return -ELOOP; ++ } ++ + symlink = (struct squashfs_symlink_inode *)ipos; + resolved = sqfs_resolve_symlink(symlink, filename); + ret = sqfs_size(resolved, size); +@@ -1678,10 +1717,11 @@ int sqfs_exists(const char *filename) + + sqfs_split_path(&file, &dir, filename); + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ +- ret = sqfs_opendir(dir, &dirsp); ++ symlinknest = 0; ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + ret = -EINVAL; + goto free_strings; +@@ -1689,7 +1729,7 @@ int sqfs_exists(const char *filename) + + dirs = (struct squashfs_dir_stream *)dirsp; + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1706,6 +1746,12 @@ free_strings: + return ret == 0; + } + ++int sqfs_size(const char *filename, loff_t *size) ++{ ++ symlinknest = 0; ++ return sqfs_size_nest(filename, size); ++} ++ + void sqfs_close(void) + { + sqfs_decompressor_cleanup(&ctxt); +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c643fb35f3..c68e3e442f 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -14,6 +14,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2024-57254.patch \ file://CVE-2024-57255.patch \ file://CVE-2024-57256.patch \ + file://CVE-2024-57257.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Wed Feb 19 08:06:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57589 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE418C021AA for ; Wed, 19 Feb 2025 08:06:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.17624.1739952382287591083 for ; Wed, 19 Feb 2025 00:06:22 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5UZLp018399 for ; Wed, 19 Feb 2025 08:06:21 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kgpq0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:21 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:20 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:19 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 5/6] u-boot: fix CVE-2024-57258 Date: Wed, 19 Feb 2025 16:06:13 +0800 Message-ID: <20250219080614.902786-5-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250219080614.902786-1-hongxu.jia@windriver.com> References: <20250219080614.902786-1-hongxu.jia@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: bW2auiXOPa_94sPVEA_U3SBG2M3BcpdQ X-Proofpoint-ORIG-GUID: bW2auiXOPa_94sPVEA_U3SBG2M3BcpdQ X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b590fd cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=cm27Pg_UAAAA:8 a=cQx7QxLJpbgKyGtIH1UA:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211677 Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. https://nvd.nist.gov/vuln/detail/CVE-2024-57258 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57258-1.patch | 47 +++++++++++++++++++ .../u-boot/files/CVE-2024-57258-2.patch | 43 +++++++++++++++++ .../u-boot/files/CVE-2024-57258-3.patch | 40 ++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 ++ 4 files changed, 133 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch new file mode 100644 index 0000000000..d33a4260ba --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch @@ -0,0 +1,47 @@ +From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:45 +0200 +Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk() + +Make sure that the new break is within mem_malloc_start +and mem_malloc_end before making progress. +ulong new = old + increment; can overflow for extremely large +increment values and memset() can get wrongly called. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass + +CVE: CVE-2024-57258 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3] +Signed-off-by: Hongxu Jia +--- + common/dlmalloc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index de3f0422..bae2a27c 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment) + ulong old = mem_malloc_brk; + ulong new = old + increment; + ++ if ((new < mem_malloc_start) || (new > mem_malloc_end)) ++ return (void *)MORECORE_FAILURE; ++ + /* + * if we are giving memory back make sure we clear it out since + * we set MORECORE_CLEARS to 1 +@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment) + if (increment < 0) + memset((void *)new, 0, -increment); + +- if ((new < mem_malloc_start) || (new > mem_malloc_end)) +- return (void *)MORECORE_FAILURE; +- + mem_malloc_brk = new; + + return (void *)old; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch new file mode 100644 index 0000000000..688e2c64d8 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch @@ -0,0 +1,43 @@ +From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:44 +0200 +Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size() + +req is of type size_t, casting it to long opens the door +for an integer overflow. +Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX +cause and overflow such that request2size() returns MINSIZE. + +Fix by removing the cast. +The origin of the cast is unclear, it's in u-boot and ppcboot since ever +and predates the CVS history. +Doug Lea's original dlmalloc implementation also doesn't have it. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass + +CVE: CVE-2024-57258 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f] +Signed-off-by: Hongxu Jia +--- + common/dlmalloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index bae2a27c..1ac4ee9f 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + /* pad request bytes into a usable size */ + + #define request2size(req) \ +- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ +- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ ++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ ++ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ + (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) + + /* Check if m has acceptable alignment */ +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch new file mode 100644 index 0000000000..2c8a7c9d91 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch @@ -0,0 +1,40 @@ +From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:43 +0200 +Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64 + +sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap +by LONG_MIN/LONG_MAX. +So, use the long type, also to match the rest of the Linux ecosystem. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass + +CVE: CVE-2024-57258 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0] +Signed-off-by: Hongxu Jia +--- + arch/x86/include/asm/posix_types.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h +index dbcea7f4..e1ed9bca 100644 +--- a/arch/x86/include/asm/posix_types.h ++++ b/arch/x86/include/asm/posix_types.h +@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t; + #if defined(__x86_64__) + typedef unsigned long __kernel_size_t; + typedef long __kernel_ssize_t; ++typedef long __kernel_ptrdiff_t; + #else + typedef unsigned int __kernel_size_t; + typedef int __kernel_ssize_t; +-#endif + typedef int __kernel_ptrdiff_t; ++#endif + typedef long __kernel_time_t; + typedef long __kernel_suseconds_t; + typedef long __kernel_clock_t; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c68e3e442f..cdee9fc721 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -15,6 +15,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2024-57255.patch \ file://CVE-2024-57256.patch \ file://CVE-2024-57257.patch \ + file://CVE-2024-57258-1.patch \ + file://CVE-2024-57258-2.patch \ + file://CVE-2024-57258-3.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" From patchwork Wed Feb 19 08:06:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hongxu Jia X-Patchwork-Id: 57588 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE449C021AB for ; Wed, 19 Feb 2025 08:06:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.17372.1739952382752042405 for ; Wed, 19 Feb 2025 00:06:22 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41458e6591=hongxu.jia@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5UZLq018399 for ; Wed, 19 Feb 2025 08:06:22 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kgpq0-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 08:06:21 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 00:06:21 -0800 Received: from pek-lpg-core5.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 00:06:20 -0800 From: Hongxu Jia To: Subject: [kirkstone][PATCH 6/6] u-boot: fix CVE-2024-57259 Date: Wed, 19 Feb 2025 16:06:14 +0800 Message-ID: <20250219080614.902786-6-hongxu.jia@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250219080614.902786-1-hongxu.jia@windriver.com> References: <20250219080614.902786-1-hongxu.jia@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: VKAFlP4mIGNKHGlJJgAIKKdGQzr4lKgZ X-Proofpoint-ORIG-GUID: VKAFlP4mIGNKHGlJJgAIKKdGQzr4lKgZ X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b590fd cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=PYnjg3YJAAAA:8 a=YfCOm-DyAAAA:8 a=t7CeM3EgAAAA:8 a=P-IC7800AAAA:8 a=Al2zql01oGyaSE7bB7UA:9 a=zQLMK8awuJ6_Hvp-_9Ux:22 a=FdTzh2GWekK77mhwV6Dw:22 a=d3PnA9EDa4IxuAV0gXij:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_03,2025-02-18_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190063 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 08:06:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211678 sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation. https://nvd.nist.gov/vuln/detail/CVE-2024-57259 Signed-off-by: Hongxu Jia --- .../u-boot/files/CVE-2024-57259.patch | 41 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch new file mode 100644 index 0000000000..fdf5fdfce4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch @@ -0,0 +1,41 @@ +From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 22:05:09 +0200 +Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir() + +res needs to be large enough to store both strings rem and target, +plus the path separator and the terminator. +Currently the space for the path separator is not accounted, so +the heap is corrupted by one byte. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57259 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index a5b7890e..1bd9b2a4 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + ret = -ENOMEM; + goto out; + } +- /* Concatenate remaining tokens and symlink's target */ +- res = malloc(strlen(rem) + strlen(target) + 1); ++ /* ++ * Concatenate remaining tokens and symlink's target. ++ * Allocate enough space for rem, target, '/' and '\0'. ++ */ ++ res = malloc(strlen(rem) + strlen(target) + 2); + if (!res) { + ret = -ENOMEM; + goto out; +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index cdee9fc721..0ff2477c39 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -18,6 +18,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2024-57258-1.patch \ file://CVE-2024-57258-2.patch \ file://CVE-2024-57258-3.patch \ + file://CVE-2024-57259.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native"