u-boot: fix CVE-2024-57255

An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. https://nvd.nist.gov/vuln/detail/CVE-2024-57255 (From OE-Core rev: 687b6e0a166d7dc999b7d226a9bd68155f59a03a) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hongxu Jia <hongxu.jia@windriver.com> 2025-02-19 16:18:15 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-02-28 06:51:35 -0800
commit: 7e46bdecf4796f354a269c7b7831499c9341f22e (patch)
tree: 15ce9f3d8ae315bb49e00c4b8b7fad1cecdbe58e
parent: fcaac44489a860cfaa852ab0d8f2f831a7349ce5 (diff)
download: poky-7e46bdecf4796f354a269c7b7831499c9341f22e.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
new file mode 100644
index 0000000000..4ca72da554
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
@@ -0,0 +1,53 @@
+From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:44 +0200
+Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink()
+A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
+as a consequence malloc() will do a zero allocation.
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+Avoid the overflow by using the __builtin_add_overflow() helper.
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+CVE: CVE-2024-57255
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 1430e671..16a07c06 100644
+--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
+@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+        char *resolved, *target;
+        u32 sz;
+ 
+-       sz = get_unaligned_le32(&sym->symlink_size);
+-       target = malloc(sz + 1);
+       if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
+               return NULL;
+
+       target = malloc(sz);
+        if (!target)
+                return NULL;
+ 
+@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+         * There is no trailling null byte in the symlink's target path, so a
+         * copy is made and a '\0' is added at its end.
+         */
+-       target[sz] = '\0';
+       target[sz - 1] = '\0';
+        /* Get target name (relative path) */
+-       strncpy(target, sym->symlink, sz);
+       strncpy(target, sym->symlink, sz - 1);
+ 
+        /* Relative -> absolute path conversion */
+        resolved = sqfs_get_abs_path(base_path, target);
+-- 
+2.34.1
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index d9c6fcb993..cfe36256f3 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -12,6 +12,7 @@ SRC_URI +=       " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
                   file://CVE-2022-2347_1.patch \
                   file://CVE-2022-2347_2.patch \
                   file://CVE-2024-57254.patch \
+                   file://CVE-2024-57255.patch \
                 "
 DEPENDS += "bc-native dtc-native python3-setuptools-native"
author	Hongxu Jia <hongxu.jia@windriver.com>	2025-02-19 16:18:15 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-02-28 06:51:35 -0800
commit	7e46bdecf4796f354a269c7b7831499c9341f22e (patch)
tree	15ce9f3d8ae315bb49e00c4b8b7fad1cecdbe58e
parent	fcaac44489a860cfaa852ab0d8f2f831a7349ce5 (diff)
download	poky-7e46bdecf4796f354a269c7b7831499c9341f22e.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch new file mode 100644 index 0000000000..4ca72da554 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
@@ -0,0 +1,53 @@
		1	From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001
		2	From: Richard Weinberger <richard@nod.at>
		3	Date: Fri, 2 Aug 2024 18:36:44 +0200
		4	Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink()
		5
		6	A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
		7	as a consequence malloc() will do a zero allocation.
		8	Later in the function the inode size is again used for copying data.
		9	So an attacker can overwrite memory.
		10	Avoid the overflow by using the __builtin_add_overflow() helper.
		11
		12	Signed-off-by: Richard Weinberger <richard@nod.at>
		13	Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
		14
		15	CVE: CVE-2024-57255
		16	Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356]
		17	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		18	---
		19	fs/squashfs/sqfs.c \| 10 ++++++----
		20	1 file changed, 6 insertions(+), 4 deletions(-)
		21
		22	diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
		23	index 1430e671..16a07c06 100644
		24	--- a/fs/squashfs/sqfs.c
		25	+++ b/fs/squashfs/sqfs.c
		26	@@ -422,8 +422,10 @@ static char sqfs_resolve_symlink(struct squashfs_symlink_inode sym,
		27	char resolved, target;
		28	u32 sz;
		29
		30	- sz = get_unaligned_le32(&sym->symlink_size);
		31	- target = malloc(sz + 1);
		32	+ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
		33	+ return NULL;
		34	+
		35	+ target = malloc(sz);
		36	if (!target)
		37	return NULL;
		38
		39	@@ -431,9 +433,9 @@ static char sqfs_resolve_symlink(struct squashfs_symlink_inode sym,
		40	* There is no trailling null byte in the symlink's target path, so a
		41	* copy is made and a '\0' is added at its end.
		42	*/
		43	- target[sz] = '\0';
		44	+ target[sz - 1] = '\0';
		45	/* Get target name (relative path) */
		46	- strncpy(target, sym->symlink, sz);
		47	+ strncpy(target, sym->symlink, sz - 1);
		48
		49	/* Relative -> absolute path conversion */
		50	resolved = sqfs_get_abs_path(base_path, target);
		51	--
		52	2.34.1
		53


diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index d9c6fcb993..cfe36256f3 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -12,6 +12,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
12	file://CVE-2022-2347_1.patch \	12	file://CVE-2022-2347_1.patch \
13	file://CVE-2022-2347_2.patch \	13	file://CVE-2022-2347_2.patch \
14	file://CVE-2024-57254.patch \	14	file://CVE-2024-57254.patch \
		15	file://CVE-2024-57255.patch \
15	"	16	"
16		17
17	DEPENDS += "bc-native dtc-native python3-setuptools-native"	18	DEPENDS += "bc-native dtc-native python3-setuptools-native"