mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-23 00:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

u-boot: fix CVE-2024-57257

Browse Source 
A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with deep symlink nesting.

https://nvd.nist.gov/vuln/detail/CVE-2024-57257

(From OE-Core rev: 5ed8ad78bcce836aa8894de7a1d7fdf719e5bbca)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hongxu Jia
2025-02-19 16:18:17 +08:00
committed by Steve Sakoman
parent c54a2f894e
commit 86f0ab4d07
2 changed files with 229 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch Normal file
View File

@@ -0,0 +1,228 @@
From 790a2005e7a44dba059f5dbf1b9eff3a13e9b5e7 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Wed, 19 Feb 2025 15:51:53 +0800
Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
CVE: CVE-2024-57257
Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++---------
1 file changed, 61 insertions(+), 15 deletions(-)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 7f2af8e1f9..09c0911689 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -24,7 +24,12 @@
#include "sqfs_filesystem.h"
#include "sqfs_utils.h"
+#define MAX_SYMLINK_NEST 8
+
static struct squashfs_ctxt ctxt;
+static int symlinknest;
+
+static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
{
@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
goto out;
}
- while (!sqfs_readdir(dirsp, &dent)) {
+ while (!sqfs_readdir_nest(dirsp, &dent)) {
ret = strcmp(dent->name, token_list[j]);
if (!ret)
break;
@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
/* Check for symbolic link and inode type sanity */
if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
+ if (++symlinknest == MAX_SYMLINK_NEST) {
+ ret = -ELOOP;
+ goto out;
+ }
+
sym = (struct squashfs_symlink_inode *)table;
/* Get first j + 1 tokens */
path = sqfs_concat_tokens(token_list, j + 1);
@@ -872,7 +882,7 @@ out:
return metablks_count;
}
-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
+static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
{
unsigned char *inode_table = NULL, *dir_table = NULL;
int j, token_count = 0, ret = 0, metablks_count;
@@ -967,7 +977,19 @@ out:
return ret;
}
+int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
+{
+ symlinknest = 0;
+ return sqfs_opendir_nest(filename, dirsp);
+}
+
int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+{
+ symlinknest = 0;
+ return sqfs_readdir_nest(fs_dirs, dentp);
+}
+
+static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
{
struct squashfs_super_block *sblk = ctxt.sblk;
struct squashfs_dir_stream *dirs;
@@ -1311,8 +1333,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
return datablk_count;
}
-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
- loff_t *actread)
+static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
+ loff_t len, loff_t *actread)
{
char *dir = NULL, *fragment_block, *datablock = NULL, *data_buffer = NULL;
char *fragment = NULL, *file = NULL, *resolved, *data;
@@ -1342,11 +1364,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
}
/*
- * sqfs_opendir will uncompress inode and directory tables, and will
+ * sqfs_opendir_nest will uncompress inode and directory tables, and will
* return a pointer to the directory that contains the requested file.
*/
sqfs_split_path(&file, &dir, filename);
- ret = sqfs_opendir(dir, &dirsp);
+ ret = sqfs_opendir_nest(dir, &dirsp);
if (ret) {
goto out;
}
@@ -1354,7 +1376,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
dirs = (struct squashfs_dir_stream *)dirsp;
/* For now, only regular files are able to be loaded */
- while (!sqfs_readdir(dirsp, &dent)) {
+ while (!sqfs_readdir_nest(dirsp, &dent)) {
ret = strcmp(dent->name, file);
if (!ret)
break;
@@ -1403,9 +1425,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
break;
case SQFS_SYMLINK_TYPE:
case SQFS_LSYMLINK_TYPE:
+ if (++symlinknest == MAX_SYMLINK_NEST) {
+ ret = -ELOOP;
+ goto out;
+ }
+
symlink = (struct squashfs_symlink_inode *)ipos;
resolved = sqfs_resolve_symlink(symlink, filename);
- ret = sqfs_read(resolved, buf, offset, len, actread);
+ ret = sqfs_read_nest(resolved, buf, offset, len, actread);
free(resolved);
goto out;
case SQFS_BLKDEV_TYPE:
@@ -1579,7 +1606,14 @@ out:
return ret;
}
-int sqfs_size(const char *filename, loff_t *size)
+int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ loff_t *actread)
+{
+ symlinknest = 0;
+ return sqfs_read_nest(filename, buf, offset, len, actread);
+}
+
+static int sqfs_size_nest(const char *filename, loff_t *size)
{
struct squashfs_super_block *sblk = ctxt.sblk;
struct squashfs_symlink_inode *symlink;
@@ -1595,10 +1629,10 @@ int sqfs_size(const char *filename, loff_t *size)
sqfs_split_path(&file, &dir, filename);
/*
- * sqfs_opendir will uncompress inode and directory tables, and will
+ * sqfs_opendir_nest will uncompress inode and directory tables, and will
* return a pointer to the directory that contains the requested file.
*/
- ret = sqfs_opendir(dir, &dirsp);
+ ret = sqfs_opendir_nest(dir, &dirsp);
if (ret) {
ret = -EINVAL;
goto free_strings;
@@ -1606,7 +1640,7 @@ int sqfs_size(const char *filename, loff_t *size)
dirs = (struct squashfs_dir_stream *)dirsp;
- while (!sqfs_readdir(dirsp, &dent)) {
+ while (!sqfs_readdir_nest(dirsp, &dent)) {
ret = strcmp(dent->name, file);
if (!ret)
break;
@@ -1639,6 +1673,11 @@ int sqfs_size(const char *filename, loff_t *size)
break;
case SQFS_SYMLINK_TYPE:
case SQFS_LSYMLINK_TYPE:
+ if (++symlinknest == MAX_SYMLINK_NEST) {
+ *size = 0;
+ return -ELOOP;
+ }
+
symlink = (struct squashfs_symlink_inode *)ipos;
resolved = sqfs_resolve_symlink(symlink, filename);
ret = sqfs_size(resolved, size);
@@ -1678,10 +1717,11 @@ int sqfs_exists(const char *filename)
sqfs_split_path(&file, &dir, filename);
/*
- * sqfs_opendir will uncompress inode and directory tables, and will
+ * sqfs_opendir_nest will uncompress inode and directory tables, and will
* return a pointer to the directory that contains the requested file.
*/
- ret = sqfs_opendir(dir, &dirsp);
+ symlinknest = 0;
+ ret = sqfs_opendir_nest(dir, &dirsp);
if (ret) {
ret = -EINVAL;
goto free_strings;
@@ -1689,7 +1729,7 @@ int sqfs_exists(const char *filename)
dirs = (struct squashfs_dir_stream *)dirsp;
- while (!sqfs_readdir(dirsp, &dent)) {
+ while (!sqfs_readdir_nest(dirsp, &dent)) {
ret = strcmp(dent->name, file);
if (!ret)
break;
@@ -1706,6 +1746,12 @@ free_strings:
return ret == 0;
}
+int sqfs_size(const char *filename, loff_t *size)
+{
+ symlinknest = 0;
+ return sqfs_size_nest(filename, size);
+}
+
void sqfs_close(void)
{
sqfs_decompressor_cleanup(&ctxt);
--
2.34.1

1
meta/recipes-bsp/u-boot/u-boot_2022.01.bb
View File

@@ -14,6 +14,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2024-57254.patch \
file://CVE-2024-57255.patch \
file://CVE-2024-57256.patch \
file://CVE-2024-57257.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"