From a0745dce6bf173eb72bbaa174d0bf3e172ebb7f5 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Thu, 18 Nov 2021 09:53:36 +0800 Subject: squashfs-tools: fix CVE-2021-41072 Backport patches to fix CVE-2021-41072. And update context for verison 4.4 at same time. CVE: CVE-2021-41072 Ref: * https://nvd.nist.gov/vuln/detail/CVE-2021-41072 (From OE-Core rev: e95ccf6f7fe5a42fffcfa5e43087ff964622e26c) Signed-off-by: Kai Kang Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie --- .../squashfs-tools/files/CVE-2021-41072.patch | 316 +++++++++++++++++++++ 1 file changed, 316 insertions(+) create mode 100644 meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072.patch (limited to 'meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072.patch') diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072.patch new file mode 100644 index 0000000000..29ec3bbeab --- /dev/null +++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072.patch @@ -0,0 +1,316 @@ +CVE: CVE-2021-41072 +Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/e048580] + +Backport commit to fix CVE-2021-41072. And squash a follow-up fix for +CVE-2021-41072 from upstream: +https://github.com/plougher/squashfs-tools/commit/19fcc93 + +Update context for version 4.4. + +Signed-off-by: Kai Kang + +From e0485802ec72996c20026da320650d8362f555bd Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Sun, 12 Sep 2021 23:50:06 +0100 +Subject: [PATCH] Unsquashfs: additional write outside destination directory + exploit fix + +An issue on github (https://github.com/plougher/squashfs-tools/issues/72) +showed how some specially crafted Squashfs filesystems containing +invalid file names (with '/' and '..') can cause Unsquashfs to write +files outside of the destination directory. + +Since then it has been shown that specially crafted Squashfs filesystems +that contain a symbolic link pointing outside of the destination directory, +coupled with an identically named file within the same directory, can +cause Unsquashfs to write files outside of the destination directory. + +Specifically the symbolic link produces a pathname pointing outside +of the destination directory, which is then followed when writing the +duplicate identically named file within the directory. + +This commit fixes this exploit by explictly checking for duplicate +filenames within a directory. As directories in v2.1, v3.x, and v4.0 +filesystems are sorted, this is achieved by checking for consecutively +identical filenames. Additionally directories are checked to +ensure they are sorted, to avoid attempts to evade the duplicate +check. + +Version 1.x and 2.0 filesystems (where the directories were unsorted) +are sorted and then the above duplicate filename check is applied. + +Signed-off-by: Phillip Lougher +--- + squashfs-tools/Makefile | 6 +- + squashfs-tools/unsquash-1.c | 6 ++ + squashfs-tools/unsquash-12.c | 110 +++++++++++++++++++++++++++++++++ + squashfs-tools/unsquash-1234.c | 21 +++++++ + squashfs-tools/unsquash-2.c | 16 +++++ + squashfs-tools/unsquash-3.c | 6 ++ + squashfs-tools/unsquash-4.c | 6 ++ + squashfs-tools/unsquashfs.h | 4 ++ + 8 files changed, 173 insertions(+), 2 deletions(-) + create mode 100644 squashfs-tools/unsquash-12.c + +diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile +index 7262a2e..1b544ed 100755 +--- a/squashfs-tools/Makefile ++++ b/squashfs-tools/Makefile +@@ -156,8 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o + caches-queues-lists.o + + UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \ +- unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \ +- compressor.o unsquashfs_info.o ++ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o unsquash-12.o \ ++ swap.o compressor.o unsquashfs_info.o + + CFLAGS ?= -O2 + CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \ +@@ -353,6 +353,8 @@ unsquash-34.o: unsquashfs.h unsquash-34.c unsquashfs_error.h + + unsquash-1234.o: unsquash-1234.c + ++unsquash-12.o: unsquash-12.c unsquashfs.h ++ + unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h + + unsquashfs_info.o: unsquashfs.h squashfs_fs.h +--- a/squashfs-tools/unsquash-1.c ++++ b/squashfs-tools/unsquash-1.c +@@ -314,6 +314,12 @@ static struct dir *squashfs_opendir(unsi + } + } + ++ /* check directory for duplicate names. Need to sort directory first */ ++ sort_directory(dir); ++ if(check_directory(dir) == FALSE) { ++ ERROR("File system corrupted: directory has duplicate names\n"); ++ goto corrupted; ++ } + return dir; + + corrupted: +diff --git a/squashfs-tools/unsquash-12.c b/squashfs-tools/unsquash-12.c +new file mode 100644 +index 0000000..61bf128 +--- /dev/null ++++ b/squashfs-tools/unsquash-12.c +@@ -0,0 +1,110 @@ ++/* ++ * Unsquash a squashfs filesystem. This is a highly compressed read only ++ * filesystem. ++ * ++ * Copyright (c) 2021 ++ * Phillip Lougher ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2, ++ * or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ++ * ++ * unsquash-12.c ++ * ++ * Helper functions used by unsquash-1 and unsquash-2. ++ */ ++ ++#include "unsquashfs.h" ++ ++/* ++ * Bottom up linked list merge sort. ++ * ++ */ ++void sort_directory(struct dir *dir) ++{ ++ struct dir_ent *cur, *l1, *l2, *next; ++ int len1, len2, stride = 1; ++ ++ if(dir->dir_count < 2) ++ return; ++ ++ /* ++ * We can consider our linked-list to be made up of stride length ++ * sublists. Eacn iteration around this loop merges adjacent ++ * stride length sublists into larger 2*stride sublists. We stop ++ * when stride becomes equal to the entire list. ++ * ++ * Initially stride = 1 (by definition a sublist of 1 is sorted), and ++ * these 1 element sublists are merged into 2 element sublists, which ++ * are then merged into 4 element sublists and so on. ++ */ ++ do { ++ l2 = dir->dirs; /* head of current linked list */ ++ cur = NULL; /* empty output list */ ++ ++ /* ++ * Iterate through the linked list, merging adjacent sublists. ++ * On each interation l2 points to the next sublist pair to be ++ * merged (if there's only one sublist left this is simply added ++ * to the output list) ++ */ ++ while(l2) { ++ l1 = l2; ++ for(len1 = 0; l2 && len1 < stride; len1 ++, l2 = l2->next); ++ len2 = stride; ++ ++ /* ++ * l1 points to first sublist. ++ * l2 points to second sublist. ++ * Merge them onto the output list ++ */ ++ while(len1 && l2 && len2) { ++ if(strcmp(l1->name, l2->name) <= 0) { ++ next = l1; ++ l1 = l1->next; ++ len1 --; ++ } else { ++ next = l2; ++ l2 = l2->next; ++ len2 --; ++ } ++ ++ if(cur) { ++ cur->next = next; ++ cur = next; ++ } else ++ dir->dirs = cur = next; ++ } ++ /* ++ * One sublist is now empty, copy the other one onto the ++ * output list ++ */ ++ for(; len1; len1 --, l1 = l1->next) { ++ if(cur) { ++ cur->next = l1; ++ cur = l1; ++ } else ++ dir->dirs = cur = l1; ++ } ++ for(; l2 && len2; len2 --, l2 = l2->next) { ++ if(cur) { ++ cur->next = l2; ++ cur = l2; ++ } else ++ dir->dirs = cur = l2; ++ } ++ } ++ cur->next = NULL; ++ stride = stride << 1; ++ } while(stride < dir->dir_count); ++} +diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c +index e389f8d..98a81ed 100644 +--- a/squashfs-tools/unsquash-1234.c ++++ b/squashfs-tools/unsquash-1234.c +@@ -72,3 +72,24 @@ void squashfs_closedir(struct dir *dir) + + free(dir); + } ++ ++ ++/* ++ * Check directory for duplicate names. As the directory should be sorted, ++ * duplicates will be consecutive. Obviously we also need to check if the ++ * directory has been deliberately unsorted, to evade this check. ++ */ ++int check_directory(struct dir *dir) ++{ ++ int i; ++ struct dir_ent *ent; ++ ++ if(dir->dir_count < 2) ++ return TRUE; ++ ++ for(ent = dir->dirs, i = 0; i < dir->dir_count - 1; ent = ent->next, i++) ++ if(strcmp(ent->name, ent->next->name) >= 0) ++ return FALSE; ++ ++ return TRUE; ++} +diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c +index 956f96f..0e36f7d 100644 +--- a/squashfs-tools/unsquash-2.c ++++ b/squashfs-tools/unsquash-2.c +@@ -29,6 +29,7 @@ static squashfs_fragment_entry_2 *fragme + static unsigned int *uid_table, *guid_table; + static char *inode_table, *directory_table; + static squashfs_operations ops; ++static int needs_sorting = FALSE; + + static void read_block_list(unsigned int *block_list, char *block_ptr, int blocks) + { +@@ -415,6 +416,17 @@ static struct dir *squashfs_opendir(unsi + } + } + ++ if(needs_sorting) ++ sort_directory(dir); ++ ++ /* check directory for duplicate names and sorting */ ++ if(check_directory(dir) == FALSE) { ++ if(needs_sorting) ++ ERROR("File system corrupted: directory has duplicate names\n"); ++ else ++ ERROR("File system corrupted: directory has duplicate names or is unsorted\n"); ++ goto corrupted; ++ } + return dir; + + corrupted: +--- a/squashfs-tools/unsquash-3.c ++++ b/squashfs-tools/unsquash-3.c +@@ -442,6 +442,12 @@ static struct dir *squashfs_opendir(unsi + } + } + ++ /* check directory for duplicate names and sorting */ ++ if(check_directory(dir) == FALSE) { ++ ERROR("File system corrupted: directory has duplicate names or is unsorted\n"); ++ goto corrupted; ++ } ++ + return dir; + + corrupted: +diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c +index 694783d..c615bb8 100644 +--- a/squashfs-tools/unsquash-4.c ++++ b/squashfs-tools/unsquash-4.c +@@ -378,6 +378,12 @@ static struct dir *squashfs_opendir(unsi + } + } + ++ /* check directory for duplicate names and sorting */ ++ if(check_directory(dir) == FALSE) { ++ ERROR("File system corrupted: directory has duplicate names or is unsorted\n"); ++ goto corrupted; ++ } ++ + return dir; + + corrupted: +diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h +index f8cf78c..bf2a80d 100644 +--- a/squashfs-tools/unsquashfs.h ++++ b/squashfs-tools/unsquashfs.h +@@ -266,4 +266,8 @@ extern long long *alloc_index_table(int) + /* unsquash-1234.c */ + extern int check_name(char *, int); + extern void squashfs_closedir(struct dir *); ++extern int check_directory(struct dir *); ++ ++/* unsquash-12.c */ ++extern void sort_directory(struct dir *); + #endif +-- +2.17.1 + -- cgit v1.2.3-54-g00ecf