mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 21:32:12 +02:00
u-boot: fix CVE-2024-57254
An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://nvd.nist.gov/vuln/detail/CVE-2024-57254 (From OE-Core rev: 956836ab347e9112be0f8892b1b82c4bcb17990c) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hongxu Jia
committed by
Steve Sakoman
Steve Sakoman
parent
83e5ad004a
commit
fcaac44489
47
meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
Normal file
47
meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
Normal file
@@ -0,0 +1,47 @@
|
||||
From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Weinberger <richard@nod.at>
|
||||
Date: Fri, 2 Aug 2024 18:36:45 +0200
|
||||
Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
|
||||
|
||||
A carefully crafted squashfs filesystem can exhibit an extremly large
|
||||
inode size and overflow the calculation in sqfs_inode_size().
|
||||
As a consequence, the squashfs driver will read from wrong locations.
|
||||
|
||||
Fix by using __builtin_add_overflow() to detect the overflow.
|
||||
|
||||
Signed-off-by: Richard Weinberger <richard@nod.at>
|
||||
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
|
||||
|
||||
CVE: CVE-2024-57254
|
||||
Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
|
||||
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
---
|
||||
fs/squashfs/sqfs_inode.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
|
||||
index d25cfb53..bb3ccd37 100644
|
||||
--- a/fs/squashfs/sqfs_inode.c
|
||||
+++ b/fs/squashfs/sqfs_inode.c
|
||||
@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
|
||||
|
||||
case SQFS_SYMLINK_TYPE:
|
||||
case SQFS_LSYMLINK_TYPE: {
|
||||
+ int size;
|
||||
+
|
||||
struct squashfs_symlink_inode *symlink =
|
||||
(struct squashfs_symlink_inode *)inode;
|
||||
|
||||
- return sizeof(*symlink) +
|
||||
- get_unaligned_le32(&symlink->symlink_size);
|
||||
+ if (__builtin_add_overflow(sizeof(*symlink),
|
||||
+ get_unaligned_le32(&symlink->symlink_size), &size))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ return size;
|
||||
}
|
||||
|
||||
case SQFS_BLKDEV_TYPE:
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
|
||||
file://CVE-2022-30790.patch \
|
||||
file://CVE-2022-2347_1.patch \
|
||||
file://CVE-2022-2347_2.patch \
|
||||
file://CVE-2024-57254.patch \
|
||||
"
|
||||
|
||||
DEPENDS += "bc-native dtc-native python3-setuptools-native"
|
||||
|
||||
Reference in New Issue
Block a user