erofs-utils: backport fixes for CVE-2023-33551 and CVE-2023-33552

(From OE-Core rev: fb0e4612b3b54746043205b56b2c3782489c191e) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@arm.com> 2023-06-19 11:32:00 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-06-20 23:24:26 +0100
commit: 89e2844fdcee07b69ef4aea7bd57d3d87ab1f114 (patch)
tree: ba1021aa1b0ec3c2ed0999c7beedb45ad63f6cce /meta
parent: 37382c45eacbd962d7468836bd67042d28bbefbf (diff)
download: poky-89e2844fdcee07b69ef4aea7bd57d3d87ab1f114.tar.gz
3 files changed, 210 insertions, 1 deletions
diff --git a/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb b/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb
index 43643e07bb..5a89e4b8ee 100644
--- a/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb
+++ b/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb
@@ -6,7 +6,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=73001d804ea1e3d84365f652242cca20"
 HOMEPAGE = "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/tree/README"
 SRCREV = "21710612d35cd952490959bfa6ea9fe87aaa52dd"
-SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;branch=master;protocol=https"
+SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;branch=master;protocol=https \
+           file://0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch \
+           file://0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch \
+"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))"
diff --git a/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch b/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch
new file mode 100644
index 0000000000..52f475dc42
--- /dev/null
+++ b/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch
@@ -0,0 +1,126 @@
+From c769805c79d5acede65d96e5786aa5ebb46c01e0 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Fri, 2 Jun 2023 11:05:19 +0800
+Subject: [PATCH 1/2] erofs-utils: fsck: don't allocate/read too large extents
+Since some crafted EROFS filesystem images could have insane large
+extents, which causes unexpected bahaviors when extracting data.
+Fix it by extracting large extents with a buffer of a reasonable
+maximum size limit and reading multiple times instead.
+Note that only `--extract` option is impacted.
+CVE: CVE-2023-33552
+Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33552
+Reported-by: Chaoming Yang <lometsj@live.com>
+Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230602030519.117071-1-hsiangkao@linux.alibaba.com
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ fsck/main.c | 63 +++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 49 insertions(+), 14 deletions(-)
+diff --git a/fsck/main.c b/fsck/main.c
+index 6b42252..6689ad8 100644
+--- a/fsck/main.c
+++ b/fsck/main.c
+@@ -392,6 +392,8 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
+        }
+ 
+        while (pos < inode->i_size) {
+               unsigned int alloc_rawsize;
+
+                map.m_la = pos;
+                if (compressed)
+                        ret = z_erofs_map_blocks_iter(inode, &map,
+@@ -420,10 +422,28 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
+                if (!(map.m_flags & EROFS_MAP_MAPPED) || !fsckcfg.check_decomp)
+                        continue;
+ 
+-               if (map.m_plen > raw_size) {
+-                       raw_size = map.m_plen;
+-                       raw = realloc(raw, raw_size);
+-                       BUG_ON(!raw);
+               if (map.m_plen > Z_EROFS_PCLUSTER_MAX_SIZE) {
+                       if (compressed) {
+                               erofs_err("invalid pcluster size %" PRIu64 " @ offset %" PRIu64 " of nid %" PRIu64,
+                                         map.m_plen, map.m_la,
+                                         inode->nid | 0ULL);
+                               ret = -EFSCORRUPTED;
+                               goto out;
+                       }
+                       alloc_rawsize = Z_EROFS_PCLUSTER_MAX_SIZE;
+               } else {
+                       alloc_rawsize = map.m_plen;
+               }
+
+               if (alloc_rawsize > raw_size) {
+                       char *newraw = realloc(raw, alloc_rawsize);
+
+                       if (!newraw) {
+                               ret = -ENOMEM;
+                               goto out;
+                       }
+                       raw = newraw;
+                       raw_size = alloc_rawsize;
+                }
+ 
+                if (compressed) {
+@@ -434,18 +454,27 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
+                        }
+                        ret = z_erofs_read_one_data(inode, &map, raw, buffer,
+                                                    0, map.m_llen, false);
+                       if (ret)
+                               goto out;
+
+                       if (outfd >= 0 && write(outfd, buffer, map.m_llen) < 0)
+                               goto fail_eio;
+                } else {
+-                       ret = erofs_read_one_data(&map, raw, 0, map.m_plen);
+-               }
+-               if (ret)
+-                       goto out;
+                       u64 p = 0;
+ 
+-               if (outfd >= 0 && write(outfd, compressed ? buffer : raw,
+-                                       map.m_llen) < 0) {
+-                       erofs_err("I/O error occurred when verifying data chunk @ nid %llu",
+-                                 inode->nid | 0ULL);
+-                       ret = -EIO;
+-                       goto out;
+                       do {
+                               u64 count = min_t(u64, alloc_rawsize,
+                                                 map.m_llen);
+
+                               ret = erofs_read_one_data(&map, raw, p, count);
+                               if (ret)
+                                       goto out;
+
+                               if (outfd >= 0 && write(outfd, raw, count) < 0)
+                                       goto fail_eio;
+                               map.m_llen -= count;
+                               p += count;
+                       } while (map.m_llen);
+                }
+        }
+ 
+@@ -460,6 +489,12 @@ out:
+        if (buffer)
+                free(buffer);
+        return ret < 0 ? ret : 0;
+
+fail_eio:
+       erofs_err("I/O error occurred when verifying data chunk @ nid %llu",
+                 inode->nid | 0ULL);
+       ret = -EIO;
+       goto out;
+ }
+ 
+ static inline int erofs_extract_dir(struct erofs_inode *inode)
+-- 
+2.34.1
diff --git a/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch b/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch
new file mode 100644
index 0000000000..f2f1e34368
--- /dev/null
+++ b/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch
@@ -0,0 +1,80 @@
+From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Fri, 2 Jun 2023 13:52:56 +0800
+Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when
+ extracting images
+Since some crafted EROFS filesystem images could have insane deep
+hierarchy (or may form directory loops) which triggers the
+PATH_MAX-sized path buffer OR stack overflow.
+Actually some crafted images cannot be deemed as real corrupted
+images but over-PATH_MAX paths are not something that we'd like to
+support for now.
+CVE: CVE-2023-33551
+Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
+Reported-by: Chaoming Yang <lometsj@live.com>
+Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
+Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
+Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
+Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ fsck/main.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+diff --git a/fsck/main.c b/fsck/main.c
+index 6689ad8..28d95ec 100644
+--- a/fsck/main.c
+++ b/fsck/main.c
+@@ -680,28 +680,35 @@ again:
+ static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
+ {
+        int ret;
+-       size_t prev_pos = fsckcfg.extract_pos;
+       size_t prev_pos, curr_pos;
+ 
+        if (ctx->dot_dotdot)
+                return 0;
+ 
+-       if (fsckcfg.extract_path) {
+-               size_t curr_pos = prev_pos;
+       prev_pos = fsckcfg.extract_pos;
+       curr_pos = prev_pos;
+
+       if (prev_pos + ctx->de_namelen >= PATH_MAX) {
+               erofs_err("unable to fsck since the path is too long (%u)",
+                         curr_pos + ctx->de_namelen);
+               return -EOPNOTSUPP;
+       }
+ 
+       if (fsckcfg.extract_path) {
+                fsckcfg.extract_path[curr_pos++] = '/';
+                strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
+                        ctx->de_namelen);
+                curr_pos += ctx->de_namelen;
+                fsckcfg.extract_path[curr_pos] = '\0';
+-               fsckcfg.extract_pos = curr_pos;
+       } else {
+               curr_pos += ctx->de_namelen;
+        }
+-
+       fsckcfg.extract_pos = curr_pos;
+        ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
+ 
+-       if (fsckcfg.extract_path) {
+       if (fsckcfg.extract_path)
+                fsckcfg.extract_path[prev_pos] = '\0';
+-               fsckcfg.extract_pos = prev_pos;
+-       }
+       fsckcfg.extract_pos = prev_pos;
+        return ret;
+ }
+ 
+-- 
+2.34.1
author	Ross Burton <ross.burton@arm.com>	2023-06-19 11:32:00 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-06-20 23:24:26 +0100
commit	89e2844fdcee07b69ef4aea7bd57d3d87ab1f114 (patch)
tree	ba1021aa1b0ec3c2ed0999c7beedb45ad63f6cce /meta
parent	37382c45eacbd962d7468836bd67042d28bbefbf (diff)
download	poky-89e2844fdcee07b69ef4aea7bd57d3d87ab1f114.tar.gz

diff --git a/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb b/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb index 43643e07bb..5a89e4b8ee 100644 --- a/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb +++ b/meta/recipes-devtools/erofs-utils/erofs-utils_1.6.bb
@@ -6,7 +6,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=73001d804ea1e3d84365f652242cca20"
6	HOMEPAGE = "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/tree/README"	6	HOMEPAGE = "https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/tree/README"
7		7
8	SRCREV = "21710612d35cd952490959bfa6ea9fe87aaa52dd"	8	SRCREV = "21710612d35cd952490959bfa6ea9fe87aaa52dd"
9	SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;branch=master;protocol=https"	9	SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;branch=master;protocol=https \
		10	file://0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch \
		11	file://0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch \
		12	"
10		13
11	UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))"	14	UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))"
12		15


diff --git a/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch b/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch new file mode 100644 index 0000000000..52f475dc42 --- /dev/null +++ b/meta/recipes-devtools/erofs-utils/files/0001-erofs-utils-fsck-don-t-allocate-read-too-large-exten.patch
@@ -0,0 +1,126 @@
		1	From c769805c79d5acede65d96e5786aa5ebb46c01e0 Mon Sep 17 00:00:00 2001
		2	From: Gao Xiang <hsiangkao@linux.alibaba.com>
		3	Date: Fri, 2 Jun 2023 11:05:19 +0800
		4	Subject: [PATCH 1/2] erofs-utils: fsck: don't allocate/read too large extents
		5
		6	Since some crafted EROFS filesystem images could have insane large
		7	extents, which causes unexpected bahaviors when extracting data.
		8
		9	Fix it by extracting large extents with a buffer of a reasonable
		10	maximum size limit and reading multiple times instead.
		11
		12	Note that only `--extract` option is impacted.
		13
		14	CVE: CVE-2023-33552
		15	Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33552
		16	Reported-by: Chaoming Yang <lometsj@live.com>
		17	Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
		18	Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
		19	Link: https://lore.kernel.org/r/20230602030519.117071-1-hsiangkao@linux.alibaba.com
		20
		21	Upstream-Status: Backport
		22	Signed-off-by: Ross Burton <ross.burton@arm.com>
		23	---
		24	fsck/main.c \| 63 +++++++++++++++++++++++++++++++++++++++++------------
		25	1 file changed, 49 insertions(+), 14 deletions(-)
		26
		27	diff --git a/fsck/main.c b/fsck/main.c
		28	index 6b42252..6689ad8 100644
		29	--- a/fsck/main.c
		30	+++ b/fsck/main.c
		31	@@ -392,6 +392,8 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
		32	}
		33
		34	while (pos < inode->i_size) {
		35	+ unsigned int alloc_rawsize;
		36	+
		37	map.m_la = pos;
		38	if (compressed)
		39	ret = z_erofs_map_blocks_iter(inode, &map,
		40	@@ -420,10 +422,28 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
		41	if (!(map.m_flags & EROFS_MAP_MAPPED) \|\| !fsckcfg.check_decomp)
		42	continue;
		43
		44	- if (map.m_plen > raw_size) {
		45	- raw_size = map.m_plen;
		46	- raw = realloc(raw, raw_size);
		47	- BUG_ON(!raw);
		48	+ if (map.m_plen > Z_EROFS_PCLUSTER_MAX_SIZE) {
		49	+ if (compressed) {
		50	+ erofs_err("invalid pcluster size %" PRIu64 " @ offset %" PRIu64 " of nid %" PRIu64,
		51	+ map.m_plen, map.m_la,
		52	+ inode->nid \| 0ULL);
		53	+ ret = -EFSCORRUPTED;
		54	+ goto out;
		55	+ }
		56	+ alloc_rawsize = Z_EROFS_PCLUSTER_MAX_SIZE;
		57	+ } else {
		58	+ alloc_rawsize = map.m_plen;
		59	+ }
		60	+
		61	+ if (alloc_rawsize > raw_size) {
		62	+ char *newraw = realloc(raw, alloc_rawsize);
		63	+
		64	+ if (!newraw) {
		65	+ ret = -ENOMEM;
		66	+ goto out;
		67	+ }
		68	+ raw = newraw;
		69	+ raw_size = alloc_rawsize;
		70	}
		71
		72	if (compressed) {
		73	@@ -434,18 +454,27 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
		74	}
		75	ret = z_erofs_read_one_data(inode, &map, raw, buffer,
		76	0, map.m_llen, false);
		77	+ if (ret)
		78	+ goto out;
		79	+
		80	+ if (outfd >= 0 && write(outfd, buffer, map.m_llen) < 0)
		81	+ goto fail_eio;
		82	} else {
		83	- ret = erofs_read_one_data(&map, raw, 0, map.m_plen);
		84	- }
		85	- if (ret)
		86	- goto out;
		87	+ u64 p = 0;
		88
		89	- if (outfd >= 0 && write(outfd, compressed ? buffer : raw,
		90	- map.m_llen) < 0) {
		91	- erofs_err("I/O error occurred when verifying data chunk @ nid %llu",
		92	- inode->nid \| 0ULL);
		93	- ret = -EIO;
		94	- goto out;
		95	+ do {
		96	+ u64 count = min_t(u64, alloc_rawsize,
		97	+ map.m_llen);
		98	+
		99	+ ret = erofs_read_one_data(&map, raw, p, count);
		100	+ if (ret)
		101	+ goto out;
		102	+
		103	+ if (outfd >= 0 && write(outfd, raw, count) < 0)
		104	+ goto fail_eio;
		105	+ map.m_llen -= count;
		106	+ p += count;
		107	+ } while (map.m_llen);
		108	}
		109	}
		110
		111	@@ -460,6 +489,12 @@ out:
		112	if (buffer)
		113	free(buffer);
		114	return ret < 0 ? ret : 0;
		115	+
		116	+fail_eio:
		117	+ erofs_err("I/O error occurred when verifying data chunk @ nid %llu",
		118	+ inode->nid \| 0ULL);
		119	+ ret = -EIO;
		120	+ goto out;
		121	}
		122
		123	static inline int erofs_extract_dir(struct erofs_inode *inode)
		124	--
		125	2.34.1
		126


diff --git a/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch b/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch new file mode 100644 index 0000000000..f2f1e34368 --- /dev/null +++ b/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch
@@ -0,0 +1,80 @@
		1	From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001
		2	From: Gao Xiang <hsiangkao@linux.alibaba.com>
		3	Date: Fri, 2 Jun 2023 13:52:56 +0800
		4	Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when
		5	extracting images
		6
		7	Since some crafted EROFS filesystem images could have insane deep
		8	hierarchy (or may form directory loops) which triggers the
		9	PATH_MAX-sized path buffer OR stack overflow.
		10
		11	Actually some crafted images cannot be deemed as real corrupted
		12	images but over-PATH_MAX paths are not something that we'd like to
		13	support for now.
		14
		15	CVE: CVE-2023-33551
		16	Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
		17	Reported-by: Chaoming Yang <lometsj@live.com>
		18	Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
		19	Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
		20	Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
		21	Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
		22	Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
		23
		24	Upstream-Status: Backport
		25	Signed-off-by: Ross Burton <ross.burton@arm.com>
		26	---
		27	fsck/main.c \| 23 +++++++++++++++--------
		28	1 file changed, 15 insertions(+), 8 deletions(-)
		29
		30	diff --git a/fsck/main.c b/fsck/main.c
		31	index 6689ad8..28d95ec 100644
		32	--- a/fsck/main.c
		33	+++ b/fsck/main.c
		34	@@ -680,28 +680,35 @@ again:
		35	static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
		36	{
		37	int ret;
		38	- size_t prev_pos = fsckcfg.extract_pos;
		39	+ size_t prev_pos, curr_pos;
		40
		41	if (ctx->dot_dotdot)
		42	return 0;
		43
		44	- if (fsckcfg.extract_path) {
		45	- size_t curr_pos = prev_pos;
		46	+ prev_pos = fsckcfg.extract_pos;
		47	+ curr_pos = prev_pos;
		48	+
		49	+ if (prev_pos + ctx->de_namelen >= PATH_MAX) {
		50	+ erofs_err("unable to fsck since the path is too long (%u)",
		51	+ curr_pos + ctx->de_namelen);
		52	+ return -EOPNOTSUPP;
		53	+ }
		54
		55	+ if (fsckcfg.extract_path) {
		56	fsckcfg.extract_path[curr_pos++] = '/';
		57	strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
		58	ctx->de_namelen);
		59	curr_pos += ctx->de_namelen;
		60	fsckcfg.extract_path[curr_pos] = '\0';
		61	- fsckcfg.extract_pos = curr_pos;
		62	+ } else {
		63	+ curr_pos += ctx->de_namelen;
		64	}
		65	-
		66	+ fsckcfg.extract_pos = curr_pos;
		67	ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
		68
		69	- if (fsckcfg.extract_path) {
		70	+ if (fsckcfg.extract_path)
		71	fsckcfg.extract_path[prev_pos] = '\0';
		72	- fsckcfg.extract_pos = prev_pos;
		73	- }
		74	+ fsckcfg.extract_pos = prev_pos;
		75	return ret;
		76	}
		77
		78	--
		79	2.34.1
		80