u-boot: fix CVE-2024-57258

Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. https://nvd.nist.gov/vuln/detail/CVE-2024-57258 (From OE-Core rev: 12e1d55ae2427b6aaca6a1f7d8f947f0d6bbd28d) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hongxu Jia <hongxu.jia@windriver.com> 2025-02-19 15:04:37 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-02-28 06:45:14 -0800
commit: 297607918a3978b26852a7c8660c89b684211122 (patch)
tree: 54c3987248561faf6f313c786f1008d83bde2aee
parent: 8c190b0e8e2e20889b3ddae0a3e9e16e77b78701 (diff)
download: poky-297607918a3978b26852a7c8660c89b684211122.tar.gz
4 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
new file mode 100644
index 0000000000..d33a4260ba
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
@@ -0,0 +1,47 @@
+From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:45 +0200
+Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk()
+Make sure that the new break is within mem_malloc_start
+and mem_malloc_end before making progress.
+ulong new = old + increment; can overflow for extremely large
+increment values and memset() can get wrongly called.
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index de3f0422..bae2a27c 100644
+--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
+@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment)
+        ulong old = mem_malloc_brk;
+        ulong new = old + increment;
+ 
+       if ((new < mem_malloc_start) || (new > mem_malloc_end))
+               return (void *)MORECORE_FAILURE;
+
+        /*
+         * if we are giving memory back make sure we clear it out since
+         * we set MORECORE_CLEARS to 1
+@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment)
+        if (increment < 0)
+                memset((void *)new, 0, -increment);
+ 
+-       if ((new < mem_malloc_start) || (new > mem_malloc_end))
+-               return (void *)MORECORE_FAILURE;
+-
+        mem_malloc_brk = new;
+ 
+        return (void *)old;
+-- 
+2.34.1
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
new file mode 100644
index 0000000000..688e2c64d8
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
@@ -0,0 +1,43 @@
+From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:44 +0200
+Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size()
+req is of type size_t, casting it to long opens the door
+for an integer overflow.
+Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
+cause and overflow such that request2size() returns MINSIZE.
+Fix by removing the cast.
+The origin of the cast is unclear, it's in u-boot and ppcboot since ever
+and predates the CVS history.
+Doug Lea's original dlmalloc implementation also doesn't have it.
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index bae2a27c..1ac4ee9f 100644
+--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
+@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ /* pad request bytes into a usable size */
+ 
+ #define request2size(req) \
+- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+-  (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+  (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+    (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
+ 
+ /* Check if m has acceptable alignment */
+-- 
+2.34.1
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
new file mode 100644
index 0000000000..2c8a7c9d91
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
@@ -0,0 +1,40 @@
+From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:43 +0200
+Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64
+sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
+by LONG_MIN/LONG_MAX.
+So, use the long type, also to match the rest of the Linux ecosystem.
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ arch/x86/include/asm/posix_types.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
+index dbcea7f4..e1ed9bca 100644
+--- a/arch/x86/include/asm/posix_types.h
+++ b/arch/x86/include/asm/posix_types.h
+@@ -20,11 +20,12 @@ typedef unsigned short      __kernel_gid_t;
+ #if defined(__x86_64__)
+ typedef unsigned long  __kernel_size_t;
+ typedef long           __kernel_ssize_t;
+typedef long           __kernel_ptrdiff_t;
+ #else
+ typedef unsigned int   __kernel_size_t;
+ typedef int            __kernel_ssize_t;
+-#endif
+ typedef int            __kernel_ptrdiff_t;
+#endif
+ typedef long           __kernel_time_t;
+ typedef long           __kernel_suseconds_t;
+ typedef long           __kernel_clock_t;
+-- 
+2.34.1
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index ec3b4d8fdf..d3af17f82b 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -19,6 +19,9 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
           file://CVE-2024-57255.patch \
           file://CVE-2024-57256.patch \
           file://CVE-2024-57257.patch \
+           file://CVE-2024-57258-1.patch \
+           file://CVE-2024-57258-2.patch \
+           file://CVE-2024-57258-3.patch \
 "
 S = "${WORKDIR}/git"
author	Hongxu Jia <hongxu.jia@windriver.com>	2025-02-19 15:04:37 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-02-28 06:45:14 -0800
commit	297607918a3978b26852a7c8660c89b684211122 (patch)
tree	54c3987248561faf6f313c786f1008d83bde2aee
parent	8c190b0e8e2e20889b3ddae0a3e9e16e77b78701 (diff)
download	poky-297607918a3978b26852a7c8660c89b684211122.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch new file mode 100644 index 0000000000..d33a4260ba --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
@@ -0,0 +1,47 @@
		1	From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001
		2	From: Richard Weinberger <richard@nod.at>
		3	Date: Fri, 2 Aug 2024 12:08:45 +0200
		4	Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk()
		5
		6	Make sure that the new break is within mem_malloc_start
		7	and mem_malloc_end before making progress.
		8	ulong new = old + increment; can overflow for extremely large
		9	increment values and memset() can get wrongly called.
		10
		11	Signed-off-by: Richard Weinberger <richard@nod.at>
		12	Reviewed-by: Simon Glass <sjg@chromium.org>
		13
		14	CVE: CVE-2024-57258
		15	Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3]
		16	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		17	---
		18	common/dlmalloc.c \| 6 +++---
		19	1 file changed, 3 insertions(+), 3 deletions(-)
		20
		21	diff --git a/common/dlmalloc.c b/common/dlmalloc.c
		22	index de3f0422..bae2a27c 100644
		23	--- a/common/dlmalloc.c
		24	+++ b/common/dlmalloc.c
		25	@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment)
		26	ulong old = mem_malloc_brk;
		27	ulong new = old + increment;
		28
		29	+ if ((new < mem_malloc_start) \|\| (new > mem_malloc_end))
		30	+ return (void *)MORECORE_FAILURE;
		31	+
		32	/*
		33	* if we are giving memory back make sure we clear it out since
		34	* we set MORECORE_CLEARS to 1
		35	@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment)
		36	if (increment < 0)
		37	memset((void *)new, 0, -increment);
		38
		39	- if ((new < mem_malloc_start) \|\| (new > mem_malloc_end))
		40	- return (void *)MORECORE_FAILURE;
		41	-
		42	mem_malloc_brk = new;
		43
		44	return (void *)old;
		45	--
		46	2.34.1
		47


diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch new file mode 100644 index 0000000000..688e2c64d8 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
@@ -0,0 +1,43 @@
		1	From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001
		2	From: Richard Weinberger <richard@nod.at>
		3	Date: Fri, 2 Aug 2024 12:08:44 +0200
		4	Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size()
		5
		6	req is of type size_t, casting it to long opens the door
		7	for an integer overflow.
		8	Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
		9	cause and overflow such that request2size() returns MINSIZE.
		10
		11	Fix by removing the cast.
		12	The origin of the cast is unclear, it's in u-boot and ppcboot since ever
		13	and predates the CVS history.
		14	Doug Lea's original dlmalloc implementation also doesn't have it.
		15
		16	Signed-off-by: Richard Weinberger <richard@nod.at>
		17	Reviewed-by: Simon Glass <sjg@chromium.org>
		18
		19	CVE: CVE-2024-57258
		20	Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f]
		21	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		22	---
		23	common/dlmalloc.c \| 4 ++--
		24	1 file changed, 2 insertions(+), 2 deletions(-)
		25
		26	diff --git a/common/dlmalloc.c b/common/dlmalloc.c
		27	index bae2a27c..1ac4ee9f 100644
		28	--- a/common/dlmalloc.c
		29	+++ b/common/dlmalloc.c
		30	@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
		31	/* pad request bytes into a usable size */
		32
		33	#define request2size(req) \
		34	- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
		35	- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
		36	+ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
		37	+ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
		38	(((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
		39
		40	/* Check if m has acceptable alignment */
		41	--
		42	2.34.1
		43


diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch new file mode 100644 index 0000000000..2c8a7c9d91 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
@@ -0,0 +1,40 @@
		1	From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001
		2	From: Richard Weinberger <richard@nod.at>
		3	Date: Fri, 2 Aug 2024 12:08:43 +0200
		4	Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64
		5
		6	sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
		7	by LONG_MIN/LONG_MAX.
		8	So, use the long type, also to match the rest of the Linux ecosystem.
		9
		10	Signed-off-by: Richard Weinberger <richard@nod.at>
		11	Reviewed-by: Simon Glass <sjg@chromium.org>
		12
		13	CVE: CVE-2024-57258
		14	Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0]
		15	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		16	---
		17	arch/x86/include/asm/posix_types.h \| 3 ++-
		18	1 file changed, 2 insertions(+), 1 deletion(-)
		19
		20	diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
		21	index dbcea7f4..e1ed9bca 100644
		22	--- a/arch/x86/include/asm/posix_types.h
		23	+++ b/arch/x86/include/asm/posix_types.h
		24	@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t;
		25	#if defined(__x86_64__)
		26	typedef unsigned long __kernel_size_t;
		27	typedef long __kernel_ssize_t;
		28	+typedef long __kernel_ptrdiff_t;
		29	#else
		30	typedef unsigned int __kernel_size_t;
		31	typedef int __kernel_ssize_t;
		32	-#endif
		33	typedef int __kernel_ptrdiff_t;
		34	+#endif
		35	typedef long __kernel_time_t;
		36	typedef long __kernel_suseconds_t;
		37	typedef long __kernel_clock_t;
		38	--
		39	2.34.1
		40


diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index ec3b4d8fdf..d3af17f82b 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -19,6 +19,9 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
19	file://CVE-2024-57255.patch \	19	file://CVE-2024-57255.patch \
20	file://CVE-2024-57256.patch \	20	file://CVE-2024-57256.patch \
21	file://CVE-2024-57257.patch \	21	file://CVE-2024-57257.patch \
		22	file://CVE-2024-57258-1.patch \
		23	file://CVE-2024-57258-2.patch \
		24	file://CVE-2024-57258-3.patch \
22	"	25	"
23		26
24	S = "${WORKDIR}/git"	27	S = "${WORKDIR}/git"