From 687b6e0a166d7dc999b7d226a9bd68155f59a03a Mon Sep 17 00:00:00 2001 From: Hongxu Jia Date: Wed, 19 Feb 2025 16:18:15 +0800 Subject: [PATCH] u-boot: fix CVE-2024-57255 An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57255 Signed-off-by: Hongxu Jia Signed-off-by: Steve Sakoman --- .../u-boot/files/CVE-2024-57255.patch | 53 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch new file mode 100644 index 0000000000..4ca72da554 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch @@ -0,0 +1,53 @@ +From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 18:36:44 +0200 +Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink() + +A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, +as a consequence malloc() will do a zero allocation. +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger +Reviewed-by: Miquel Raynal + +CVE: CVE-2024-57255 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356] +Signed-off-by: Hongxu Jia +--- + fs/squashfs/sqfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 1430e671..16a07c06 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + char *resolved, *target; + u32 sz; + +- sz = get_unaligned_le32(&sym->symlink_size); +- target = malloc(sz + 1); ++ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) ++ return NULL; ++ ++ target = malloc(sz); + if (!target) + return NULL; + +@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + * There is no trailling null byte in the symlink's target path, so a + * copy is made and a '\0' is added at its end. + */ +- target[sz] = '\0'; ++ target[sz - 1] = '\0'; + /* Get target name (relative path) */ +- strncpy(target, sym->symlink, sz); ++ strncpy(target, sym->symlink, sz - 1); + + /* Relative -> absolute path conversion */ + resolved = sqfs_get_abs_path(base_path, target); +-- +2.34.1 + diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index d9c6fcb993..cfe36256f3 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb @@ -12,6 +12,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ file://CVE-2022-2347_1.patch \ file://CVE-2022-2347_2.patch \ file://CVE-2024-57254.patch \ + file://CVE-2024-57255.patch \ " DEPENDS += "bc-native dtc-native python3-setuptools-native" -- 2.47.2