summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2025-02-19 16:18:18 +0800
committerSteve Sakoman <steve@sakoman.com>2025-02-28 06:51:35 -0800
commit644ddcb99343f0d7701a18c092ea2b2a05f2891b (patch)
tree00e3ecf051c7fc8ae14e096de349ae491c12a364
parent86f0ab4d07f2948abda527d7361b3819676ea41f (diff)
downloadpoky-644ddcb99343f0d7701a18c092ea2b2a05f2891b.tar.gz
u-boot: fix CVE-2024-57258
Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. https://nvd.nist.gov/vuln/detail/CVE-2024-57258 (From OE-Core rev: b4bf3ba66052db7a311ac696563a8a0f9c585600) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch47
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch43
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch40
-rw-r--r--meta/recipes-bsp/u-boot/u-boot_2022.01.bb3
4 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
new file mode 100644
index 0000000000..d33a4260ba
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
@@ -0,0 +1,47 @@
1From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001
2From: Richard Weinberger <richard@nod.at>
3Date: Fri, 2 Aug 2024 12:08:45 +0200
4Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk()
5
6Make sure that the new break is within mem_malloc_start
7and mem_malloc_end before making progress.
8ulong new = old + increment; can overflow for extremely large
9increment values and memset() can get wrongly called.
10
11Signed-off-by: Richard Weinberger <richard@nod.at>
12Reviewed-by: Simon Glass <sjg@chromium.org>
13
14CVE: CVE-2024-57258
15Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3]
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17---
18 common/dlmalloc.c | 6 +++---
19 1 file changed, 3 insertions(+), 3 deletions(-)
20
21diff --git a/common/dlmalloc.c b/common/dlmalloc.c
22index de3f0422..bae2a27c 100644
23--- a/common/dlmalloc.c
24+++ b/common/dlmalloc.c
25@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment)
26 ulong old = mem_malloc_brk;
27 ulong new = old + increment;
28
29+ if ((new < mem_malloc_start) || (new > mem_malloc_end))
30+ return (void *)MORECORE_FAILURE;
31+
32 /*
33 * if we are giving memory back make sure we clear it out since
34 * we set MORECORE_CLEARS to 1
35@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment)
36 if (increment < 0)
37 memset((void *)new, 0, -increment);
38
39- if ((new < mem_malloc_start) || (new > mem_malloc_end))
40- return (void *)MORECORE_FAILURE;
41-
42 mem_malloc_brk = new;
43
44 return (void *)old;
45--
462.34.1
47
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
new file mode 100644
index 0000000000..688e2c64d8
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
@@ -0,0 +1,43 @@
1From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001
2From: Richard Weinberger <richard@nod.at>
3Date: Fri, 2 Aug 2024 12:08:44 +0200
4Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size()
5
6req is of type size_t, casting it to long opens the door
7for an integer overflow.
8Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
9cause and overflow such that request2size() returns MINSIZE.
10
11Fix by removing the cast.
12The origin of the cast is unclear, it's in u-boot and ppcboot since ever
13and predates the CVS history.
14Doug Lea's original dlmalloc implementation also doesn't have it.
15
16Signed-off-by: Richard Weinberger <richard@nod.at>
17Reviewed-by: Simon Glass <sjg@chromium.org>
18
19CVE: CVE-2024-57258
20Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f]
21Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
22---
23 common/dlmalloc.c | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26diff --git a/common/dlmalloc.c b/common/dlmalloc.c
27index bae2a27c..1ac4ee9f 100644
28--- a/common/dlmalloc.c
29+++ b/common/dlmalloc.c
30@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
31 /* pad request bytes into a usable size */
32
33 #define request2size(req) \
34- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
35- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
36+ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
37+ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
38 (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
39
40 /* Check if m has acceptable alignment */
41--
422.34.1
43
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
new file mode 100644
index 0000000000..2c8a7c9d91
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
@@ -0,0 +1,40 @@
1From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001
2From: Richard Weinberger <richard@nod.at>
3Date: Fri, 2 Aug 2024 12:08:43 +0200
4Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64
5
6sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
7by LONG_MIN/LONG_MAX.
8So, use the long type, also to match the rest of the Linux ecosystem.
9
10Signed-off-by: Richard Weinberger <richard@nod.at>
11Reviewed-by: Simon Glass <sjg@chromium.org>
12
13CVE: CVE-2024-57258
14Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0]
15Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
16---
17 arch/x86/include/asm/posix_types.h | 3 ++-
18 1 file changed, 2 insertions(+), 1 deletion(-)
19
20diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
21index dbcea7f4..e1ed9bca 100644
22--- a/arch/x86/include/asm/posix_types.h
23+++ b/arch/x86/include/asm/posix_types.h
24@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t;
25 #if defined(__x86_64__)
26 typedef unsigned long __kernel_size_t;
27 typedef long __kernel_ssize_t;
28+typedef long __kernel_ptrdiff_t;
29 #else
30 typedef unsigned int __kernel_size_t;
31 typedef int __kernel_ssize_t;
32-#endif
33 typedef int __kernel_ptrdiff_t;
34+#endif
35 typedef long __kernel_time_t;
36 typedef long __kernel_suseconds_t;
37 typedef long __kernel_clock_t;
38--
392.34.1
40
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c68e3e442f..cdee9fc721 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -15,6 +15,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
15 file://CVE-2024-57255.patch \ 15 file://CVE-2024-57255.patch \
16 file://CVE-2024-57256.patch \ 16 file://CVE-2024-57256.patch \
17 file://CVE-2024-57257.patch \ 17 file://CVE-2024-57257.patch \
18 file://CVE-2024-57258-1.patch \
19 file://CVE-2024-57258-2.patch \
20 file://CVE-2024-57258-3.patch \
18 " 21 "
19 22
20DEPENDS += "bc-native dtc-native python3-setuptools-native" 23DEPENDS += "bc-native dtc-native python3-setuptools-native"