git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/blob

   1 From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001
   2 From: Gao Xiang <hsiangkao@linux.alibaba.com>
   3 Date: Fri, 2 Jun 2023 13:52:56 +0800
   4 Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when
   5  extracting images
   6
   7 Since some crafted EROFS filesystem images could have insane deep
   8 hierarchy (or may form directory loops) which triggers the
   9 PATH_MAX-sized path buffer OR stack overflow.
  10
  11 Actually some crafted images cannot be deemed as real corrupted
  12 images but over-PATH_MAX paths are not something that we'd like to
  13 support for now.
  14
  15 CVE: CVE-2023-33551
  16 Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
  17 Reported-by: Chaoming Yang <lometsj@live.com>
  18 Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
  19 Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
  20 Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
  21 Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
  22 Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
  23
  24 Upstream-Status: Backport
  25 Signed-off-by: Ross Burton <ross.burton@arm.com>
  26 ---
  27  fsck/main.c | 23 +++++++++++++++--------
  28  1 file changed, 15 insertions(+), 8 deletions(-)
  29
  30 diff --git a/fsck/main.c b/fsck/main.c
  31 index 6689ad8..28d95ec 100644
  32 --- a/fsck/main.c
  33 +++ b/fsck/main.c
  34 @@ -680,28 +680,35 @@ again:
  35  static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
  36  {
  37         int ret;
  38 -       size_t prev_pos = fsckcfg.extract_pos;
  39 +       size_t prev_pos, curr_pos;
  40
  41         if (ctx->dot_dotdot)
  42                 return 0;
  43
  44 -       if (fsckcfg.extract_path) {
  45 -               size_t curr_pos = prev_pos;
  46 +       prev_pos = fsckcfg.extract_pos;
  47 +       curr_pos = prev_pos;
  48 +
  49 +       if (prev_pos + ctx->de_namelen >= PATH_MAX) {
  50 +               erofs_err("unable to fsck since the path is too long (%u)",
  51 +                         curr_pos + ctx->de_namelen);
  52 +               return -EOPNOTSUPP;
  53 +       }
  54
  55 +       if (fsckcfg.extract_path) {
  56                 fsckcfg.extract_path[curr_pos++] = '/';
  57                 strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
  58                         ctx->de_namelen);
  59                 curr_pos += ctx->de_namelen;
  60                 fsckcfg.extract_path[curr_pos] = '\0';
  61 -               fsckcfg.extract_pos = curr_pos;
  62 +       } else {
  63 +               curr_pos += ctx->de_namelen;
  64         }
  65 -
  66 +       fsckcfg.extract_pos = curr_pos;
  67         ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
  68
  69 -       if (fsckcfg.extract_path) {
  70 +       if (fsckcfg.extract_path)
  71                 fsckcfg.extract_path[prev_pos] = '\0';
  72 -               fsckcfg.extract_pos = prev_pos;
  73 -       }
  74 +       fsckcfg.extract_pos = prev_pos;
  75         return ret;
  76  }
  77
  78 --
  79 2.34.1
  80