u-boot: fix CVE-2024-57256

An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57256 (From OE-Core rev: 21e6ac6e53112b9dddc5a84f27be5851469b9c46) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hongxu Jia <hongxu.jia@windriver.com> 2025-02-19 15:04:35 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-02-28 06:45:14 -0800
commit: 35f98c1ff33a18315fed1d649ce3982fb18c9d2c (patch)
tree: a143ea4de9cad10f991d9f1fd1757a131290211b
parent: 618c5fdb1461891a812bce5131339873a96b12fe (diff)
download: poky-35f98c1ff33a18315fed1d649ce3982fb18c9d2c.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
new file mode 100644
index 0000000000..78cf4ac225
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
@@ -0,0 +1,51 @@
+From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 9 Aug 2024 11:54:28 +0200
+Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink()
+While zalloc() takes a size_t type, adding 1 to the le32 variable
+will overflow.
+A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
+and as consequence zalloc() will do a zero allocation.
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+Avoid the overflow by using the __builtin_add_overflow() helper.
+Signed-off-by: Richard Weinberger <richard@nod.at>
+CVE: CVE-2024-57256
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/ext4/ext4_common.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
+index f50de7c0..a7798296 100644
+--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
+@@ -2188,13 +2188,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
+        struct ext2fs_node *diro = node;
+        int status;
+        loff_t actread;
+       size_t alloc_size;
+ 
+        if (!diro->inode_read) {
+                status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
+                if (status == 0)
+                        return NULL;
+        }
+-       symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
+
+       if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
+               return NULL;
+
+       symlink = zalloc(alloc_size);
+        if (!symlink)
+                return NULL;
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index e907edd2eb..097ef685e9 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -17,6 +17,7 @@ SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
 SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
           file://CVE-2024-57254.patch \
           file://CVE-2024-57255.patch \
+           file://CVE-2024-57256.patch \
 "
 S = "${WORKDIR}/git"
author	Hongxu Jia <hongxu.jia@windriver.com>	2025-02-19 15:04:35 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-02-28 06:45:14 -0800
commit	35f98c1ff33a18315fed1d649ce3982fb18c9d2c (patch)
tree	a143ea4de9cad10f991d9f1fd1757a131290211b
parent	618c5fdb1461891a812bce5131339873a96b12fe (diff)
download	poky-35f98c1ff33a18315fed1d649ce3982fb18c9d2c.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch new file mode 100644 index 0000000000..78cf4ac225 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
@@ -0,0 +1,51 @@
		1	From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001
		2	From: Richard Weinberger <richard@nod.at>
		3	Date: Fri, 9 Aug 2024 11:54:28 +0200
		4	Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink()
		5
		6	While zalloc() takes a size_t type, adding 1 to the le32 variable
		7	will overflow.
		8	A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
		9	and as consequence zalloc() will do a zero allocation.
		10
		11	Later in the function the inode size is again used for copying data.
		12	So an attacker can overwrite memory.
		13
		14	Avoid the overflow by using the __builtin_add_overflow() helper.
		15
		16	Signed-off-by: Richard Weinberger <richard@nod.at>
		17
		18	CVE: CVE-2024-57256
		19	Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9]
		20	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		21	---
		22	fs/ext4/ext4_common.c \| 7 ++++++-
		23	1 file changed, 6 insertions(+), 1 deletion(-)
		24
		25	diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
		26	index f50de7c0..a7798296 100644
		27	--- a/fs/ext4/ext4_common.c
		28	+++ b/fs/ext4/ext4_common.c
		29	@@ -2188,13 +2188,18 @@ static char ext4fs_read_symlink(struct ext2fs_node node)
		30	struct ext2fs_node *diro = node;
		31	int status;
		32	loff_t actread;
		33	+ size_t alloc_size;
		34
		35	if (!diro->inode_read) {
		36	status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
		37	if (status == 0)
		38	return NULL;
		39	}
		40	- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
		41	+
		42	+ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
		43	+ return NULL;
		44	+
		45	+ symlink = zalloc(alloc_size);
		46	if (!symlink)
		47	return NULL;
		48
		49	--
		50	2.34.1
		51


diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index e907edd2eb..097ef685e9 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -17,6 +17,7 @@ SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
17	SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \	17	SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
18	file://CVE-2024-57254.patch \	18	file://CVE-2024-57254.patch \
19	file://CVE-2024-57255.patch \	19	file://CVE-2024-57255.patch \
		20	file://CVE-2024-57256.patch \
20	"	21	"
21		22
22	S = "${WORKDIR}/git"	23	S = "${WORKDIR}/git"