summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2025-02-19 15:04:33 +0800
committerSteve Sakoman <steve@sakoman.com>2025-02-28 06:45:14 -0800
commitec0e90ce423f8cba7b52a4452f5c32a50dce230d (patch)
tree999772e577fdd8a4a137a6301a67a1ed08e29f95
parent2afaed1013190d7f54a5346bfca69e92bdb2ed83 (diff)
downloadpoky-ec0e90ce423f8cba7b52a4452f5c32a50dce230d.tar.gz
u-boot: fix CVE-2024-57254
An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://nvd.nist.gov/vuln/detail/CVE-2024-57254 (From OE-Core rev: eea9fee59bc7576bef94f0da466887e4daff0356) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch47
-rw-r--r--meta/recipes-bsp/u-boot/u-boot-common.inc4
2 files changed, 50 insertions, 1 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
new file mode 100644
index 0000000000..be00121224
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
@@ -0,0 +1,47 @@
1From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
2From: Richard Weinberger <richard@nod.at>
3Date: Fri, 2 Aug 2024 18:36:45 +0200
4Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
5
6A carefully crafted squashfs filesystem can exhibit an extremly large
7inode size and overflow the calculation in sqfs_inode_size().
8As a consequence, the squashfs driver will read from wrong locations.
9
10Fix by using __builtin_add_overflow() to detect the overflow.
11
12Signed-off-by: Richard Weinberger <richard@nod.at>
13Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
14
15CVE: CVE-2024-57254
16Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
17Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
18---
19 fs/squashfs/sqfs_inode.c | 9 +++++++--
20 1 file changed, 7 insertions(+), 2 deletions(-)
21
22diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
23index d25cfb53..bb3ccd37 100644
24--- a/fs/squashfs/sqfs_inode.c
25+++ b/fs/squashfs/sqfs_inode.c
26@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
27
28 case SQFS_SYMLINK_TYPE:
29 case SQFS_LSYMLINK_TYPE: {
30+ int size;
31+
32 struct squashfs_symlink_inode *symlink =
33 (struct squashfs_symlink_inode *)inode;
34
35- return sizeof(*symlink) +
36- get_unaligned_le32(&symlink->symlink_size);
37+ if (__builtin_add_overflow(sizeof(*symlink),
38+ get_unaligned_le32(&symlink->symlink_size), &size))
39+ return -EINVAL;
40+
41+ return size;
42 }
43
44 case SQFS_BLKDEV_TYPE:
45--
462.34.1
47
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 1f17bd7d0a..9ce42e829f 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
14# repo during parse 14# repo during parse
15SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e" 15SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
16 16
17SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master" 17SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
18 file://CVE-2024-57254.patch \
19"
18 20
19S = "${WORKDIR}/git" 21S = "${WORKDIR}/git"
20B = "${WORKDIR}/build" 22B = "${WORKDIR}/build"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-06-14 10:26:03 +0000