--- /dev/null
+From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:45 +0200
+Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
+
+A carefully crafted squashfs filesystem can exhibit an extremly large
+inode size and overflow the calculation in sqfs_inode_size().
+As a consequence, the squashfs driver will read from wrong locations.
+
+Fix by using __builtin_add_overflow() to detect the overflow.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57254
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs_inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
+index d25cfb53..bb3ccd37 100644
+--- a/fs/squashfs/sqfs_inode.c
++++ b/fs/squashfs/sqfs_inode.c
+@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
+
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE: {
++ int size;
++
+ struct squashfs_symlink_inode *symlink =
+ (struct squashfs_symlink_inode *)inode;
+
+- return sizeof(*symlink) +
+- get_unaligned_le32(&symlink->symlink_size);
++ if (__builtin_add_overflow(sizeof(*symlink),
++ get_unaligned_le32(&symlink->symlink_size), &size))
++ return -EINVAL;
++
++ return size;
+ }
+
+ case SQFS_BLKDEV_TYPE:
+--
+2.34.1
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
