diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2023-11-27 11:17:40 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-11-30 08:43:04 +0000 |
commit | 4ab32e3f767807fe5404868c9fffdc89ced6858d (patch) | |
tree | 4b6d3f837bb481f5ca9e2b46e24dae5b579a4d12 /meta | |
parent | f8199bc9086dbfaec5b8f212c1335d0aae5ff06b (diff) | |
download | poky-4ab32e3f767807fe5404868c9fffdc89ced6858d.tar.gz |
erofs-utils: upgrade 1.6 -> 1.7.1
(From OE-Core rev: 333e644466c7b6749481988b638e23ec78316c4a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/erofs-utils/erofs-utils_1.7.1.bb (renamed from meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb) | 10 | ||||
-rw-r--r-- | meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch | 126 | ||||
-rw-r--r-- | meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch | 80 |
3 files changed, 4 insertions, 212 deletions
diff --git a/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb b/meta/recipes-devtools/erofs-utils/erofs-utils_1.7.1.bb index 5a89e4b8ee..a23cb330ea 100644 --- a/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb +++ b/meta/recipes-devtools/erofs-utils/erofs-utils_1.7.1.bb | |||
@@ -5,11 +5,8 @@ SECTION = "base" | |||
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=73001d804ea1e3d84365f652242cca20" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=73001d804ea1e3d84365f652242cca20" |
6 | HOMEPAGE = "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/tree/README" | 6 | HOMEPAGE = "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/tree/README" |
7 | 7 | ||
8 | SRCREV = "21710612d35cd952490959bfa6ea9fe87aaa52dd" | 8 | SRCREV = "83d94dc619075e71ca4d0f42941cfc18d269a2af" |
9 | SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;branch=master;protocol=https \ | 9 | SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;branch=master;protocol=https" |
10 | file://0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch \ | ||
11 | file://0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch \ | ||
12 | " | ||
13 | 10 | ||
14 | UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))" | 11 | UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))" |
15 | 12 | ||
@@ -19,8 +16,9 @@ DEPENDS = "util-linux-libuuid" | |||
19 | 16 | ||
20 | inherit pkgconfig autotools | 17 | inherit pkgconfig autotools |
21 | 18 | ||
22 | PACKAGECONFIG ??= "lz4" | 19 | PACKAGECONFIG ??= "lz4 zlib" |
23 | PACKAGECONFIG[lz4] = "--enable-lz4,--disable-lz4,lz4" | 20 | PACKAGECONFIG[lz4] = "--enable-lz4,--disable-lz4,lz4" |
21 | PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib" | ||
24 | 22 | ||
25 | EXTRA_OECONF = "${PACKAGECONFIG_CONFARGS} --disable-fuse" | 23 | EXTRA_OECONF = "${PACKAGECONFIG_CONFARGS} --disable-fuse" |
26 | 24 | ||
diff --git a/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch b/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch deleted file mode 100644 index 52f475dc42..0000000000 --- a/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch +++ /dev/null | |||
@@ -1,126 +0,0 @@ | |||
1 | From c769805c79d5acede65d96e5786aa5ebb46c01e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gao Xiang <hsiangkao@linux.alibaba.com> | ||
3 | Date: Fri, 2 Jun 2023 11:05:19 +0800 | ||
4 | Subject: [PATCH 1/2] erofs-utils: fsck: don't allocate/read too large extents | ||
5 | |||
6 | Since some crafted EROFS filesystem images could have insane large | ||
7 | extents, which causes unexpected bahaviors when extracting data. | ||
8 | |||
9 | Fix it by extracting large extents with a buffer of a reasonable | ||
10 | maximum size limit and reading multiple times instead. | ||
11 | |||
12 | Note that only `--extract` option is impacted. | ||
13 | |||
14 | CVE: CVE-2023-33552 | ||
15 | Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33552 | ||
16 | Reported-by: Chaoming Yang <lometsj@live.com> | ||
17 | Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") | ||
18 | Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> | ||
19 | Link: https://lore.kernel.org/r/20230602030519.117071-1-hsiangkao@linux.alibaba.com | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
23 | --- | ||
24 | fsck/main.c | 63 +++++++++++++++++++++++++++++++++++++++++------------ | ||
25 | 1 file changed, 49 insertions(+), 14 deletions(-) | ||
26 | |||
27 | diff --git a/fsck/main.c b/fsck/main.c | ||
28 | index 6b42252..6689ad8 100644 | ||
29 | --- a/fsck/main.c | ||
30 | +++ b/fsck/main.c | ||
31 | @@ -392,6 +392,8 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) | ||
32 | } | ||
33 | |||
34 | while (pos < inode->i_size) { | ||
35 | + unsigned int alloc_rawsize; | ||
36 | + | ||
37 | map.m_la = pos; | ||
38 | if (compressed) | ||
39 | ret = z_erofs_map_blocks_iter(inode, &map, | ||
40 | @@ -420,10 +422,28 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) | ||
41 | if (!(map.m_flags & EROFS_MAP_MAPPED) || !fsckcfg.check_decomp) | ||
42 | continue; | ||
43 | |||
44 | - if (map.m_plen > raw_size) { | ||
45 | - raw_size = map.m_plen; | ||
46 | - raw = realloc(raw, raw_size); | ||
47 | - BUG_ON(!raw); | ||
48 | + if (map.m_plen > Z_EROFS_PCLUSTER_MAX_SIZE) { | ||
49 | + if (compressed) { | ||
50 | + erofs_err("invalid pcluster size %" PRIu64 " @ offset %" PRIu64 " of nid %" PRIu64, | ||
51 | + map.m_plen, map.m_la, | ||
52 | + inode->nid | 0ULL); | ||
53 | + ret = -EFSCORRUPTED; | ||
54 | + goto out; | ||
55 | + } | ||
56 | + alloc_rawsize = Z_EROFS_PCLUSTER_MAX_SIZE; | ||
57 | + } else { | ||
58 | + alloc_rawsize = map.m_plen; | ||
59 | + } | ||
60 | + | ||
61 | + if (alloc_rawsize > raw_size) { | ||
62 | + char *newraw = realloc(raw, alloc_rawsize); | ||
63 | + | ||
64 | + if (!newraw) { | ||
65 | + ret = -ENOMEM; | ||
66 | + goto out; | ||
67 | + } | ||
68 | + raw = newraw; | ||
69 | + raw_size = alloc_rawsize; | ||
70 | } | ||
71 | |||
72 | if (compressed) { | ||
73 | @@ -434,18 +454,27 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) | ||
74 | } | ||
75 | ret = z_erofs_read_one_data(inode, &map, raw, buffer, | ||
76 | 0, map.m_llen, false); | ||
77 | + if (ret) | ||
78 | + goto out; | ||
79 | + | ||
80 | + if (outfd >= 0 && write(outfd, buffer, map.m_llen) < 0) | ||
81 | + goto fail_eio; | ||
82 | } else { | ||
83 | - ret = erofs_read_one_data(&map, raw, 0, map.m_plen); | ||
84 | - } | ||
85 | - if (ret) | ||
86 | - goto out; | ||
87 | + u64 p = 0; | ||
88 | |||
89 | - if (outfd >= 0 && write(outfd, compressed ? buffer : raw, | ||
90 | - map.m_llen) < 0) { | ||
91 | - erofs_err("I/O error occurred when verifying data chunk @ nid %llu", | ||
92 | - inode->nid | 0ULL); | ||
93 | - ret = -EIO; | ||
94 | - goto out; | ||
95 | + do { | ||
96 | + u64 count = min_t(u64, alloc_rawsize, | ||
97 | + map.m_llen); | ||
98 | + | ||
99 | + ret = erofs_read_one_data(&map, raw, p, count); | ||
100 | + if (ret) | ||
101 | + goto out; | ||
102 | + | ||
103 | + if (outfd >= 0 && write(outfd, raw, count) < 0) | ||
104 | + goto fail_eio; | ||
105 | + map.m_llen -= count; | ||
106 | + p += count; | ||
107 | + } while (map.m_llen); | ||
108 | } | ||
109 | } | ||
110 | |||
111 | @@ -460,6 +489,12 @@ out: | ||
112 | if (buffer) | ||
113 | free(buffer); | ||
114 | return ret < 0 ? ret : 0; | ||
115 | + | ||
116 | +fail_eio: | ||
117 | + erofs_err("I/O error occurred when verifying data chunk @ nid %llu", | ||
118 | + inode->nid | 0ULL); | ||
119 | + ret = -EIO; | ||
120 | + goto out; | ||
121 | } | ||
122 | |||
123 | static inline int erofs_extract_dir(struct erofs_inode *inode) | ||
124 | -- | ||
125 | 2.34.1 | ||
126 | |||
diff --git a/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch b/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch deleted file mode 100644 index f2f1e34368..0000000000 --- a/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch +++ /dev/null | |||
@@ -1,80 +0,0 @@ | |||
1 | From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gao Xiang <hsiangkao@linux.alibaba.com> | ||
3 | Date: Fri, 2 Jun 2023 13:52:56 +0800 | ||
4 | Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when | ||
5 | extracting images | ||
6 | |||
7 | Since some crafted EROFS filesystem images could have insane deep | ||
8 | hierarchy (or may form directory loops) which triggers the | ||
9 | PATH_MAX-sized path buffer OR stack overflow. | ||
10 | |||
11 | Actually some crafted images cannot be deemed as real corrupted | ||
12 | images but over-PATH_MAX paths are not something that we'd like to | ||
13 | support for now. | ||
14 | |||
15 | CVE: CVE-2023-33551 | ||
16 | Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551 | ||
17 | Reported-by: Chaoming Yang <lometsj@live.com> | ||
18 | Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs") | ||
19 | Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()") | ||
20 | Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") | ||
21 | Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> | ||
22 | Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
26 | --- | ||
27 | fsck/main.c | 23 +++++++++++++++-------- | ||
28 | 1 file changed, 15 insertions(+), 8 deletions(-) | ||
29 | |||
30 | diff --git a/fsck/main.c b/fsck/main.c | ||
31 | index 6689ad8..28d95ec 100644 | ||
32 | --- a/fsck/main.c | ||
33 | +++ b/fsck/main.c | ||
34 | @@ -680,28 +680,35 @@ again: | ||
35 | static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx) | ||
36 | { | ||
37 | int ret; | ||
38 | - size_t prev_pos = fsckcfg.extract_pos; | ||
39 | + size_t prev_pos, curr_pos; | ||
40 | |||
41 | if (ctx->dot_dotdot) | ||
42 | return 0; | ||
43 | |||
44 | - if (fsckcfg.extract_path) { | ||
45 | - size_t curr_pos = prev_pos; | ||
46 | + prev_pos = fsckcfg.extract_pos; | ||
47 | + curr_pos = prev_pos; | ||
48 | + | ||
49 | + if (prev_pos + ctx->de_namelen >= PATH_MAX) { | ||
50 | + erofs_err("unable to fsck since the path is too long (%u)", | ||
51 | + curr_pos + ctx->de_namelen); | ||
52 | + return -EOPNOTSUPP; | ||
53 | + } | ||
54 | |||
55 | + if (fsckcfg.extract_path) { | ||
56 | fsckcfg.extract_path[curr_pos++] = '/'; | ||
57 | strncpy(fsckcfg.extract_path + curr_pos, ctx->dname, | ||
58 | ctx->de_namelen); | ||
59 | curr_pos += ctx->de_namelen; | ||
60 | fsckcfg.extract_path[curr_pos] = '\0'; | ||
61 | - fsckcfg.extract_pos = curr_pos; | ||
62 | + } else { | ||
63 | + curr_pos += ctx->de_namelen; | ||
64 | } | ||
65 | - | ||
66 | + fsckcfg.extract_pos = curr_pos; | ||
67 | ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid); | ||
68 | |||
69 | - if (fsckcfg.extract_path) { | ||
70 | + if (fsckcfg.extract_path) | ||
71 | fsckcfg.extract_path[prev_pos] = '\0'; | ||
72 | - fsckcfg.extract_pos = prev_pos; | ||
73 | - } | ||
74 | + fsckcfg.extract_pos = prev_pos; | ||
75 | return ret; | ||
76 | } | ||
77 | |||
78 | -- | ||
79 | 2.34.1 | ||
80 | |||