diff options
| author | Hongxu Jia <hongxu.jia@windriver.com> | 2025-02-19 16:18:19 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-02-28 06:51:35 -0800 |
| commit | ecd87254c8658201fc912792c9490797df1c5b7c (patch) | |
| tree | d455a006b0300b03d1c7c98dde059984569b41ab | |
| parent | 644ddcb99343f0d7701a18c092ea2b2a05f2891b (diff) | |
| download | poky-ecd87254c8658201fc912792c9490797df1c5b7c.tar.gz | |
u-boot: fix CVE-2024-57259
sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error
and resultant heap memory corruption for squashfs directory listing because the
path separator is not considered in a size calculation.
https://nvd.nist.gov/vuln/detail/CVE-2024-57259
(From OE-Core rev: e4b713ff07695487cc9307ffc3576a11775cde4d)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch | 41 | ||||
| -rw-r--r-- | meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 |
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch new file mode 100644 index 0000000000..fdf5fdfce4 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Richard Weinberger <richard@nod.at> | ||
| 3 | Date: Fri, 2 Aug 2024 22:05:09 +0200 | ||
| 4 | Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir() | ||
| 5 | |||
| 6 | res needs to be large enough to store both strings rem and target, | ||
| 7 | plus the path separator and the terminator. | ||
| 8 | Currently the space for the path separator is not accounted, so | ||
| 9 | the heap is corrupted by one byte. | ||
| 10 | |||
| 11 | Signed-off-by: Richard Weinberger <richard@nod.at> | ||
| 12 | Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> | ||
| 13 | |||
| 14 | CVE: CVE-2024-57259 | ||
| 15 | Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e] | ||
| 16 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 17 | --- | ||
| 18 | fs/squashfs/sqfs.c | 7 +++++-- | ||
| 19 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c | ||
| 22 | index a5b7890e..1bd9b2a4 100644 | ||
| 23 | --- a/fs/squashfs/sqfs.c | ||
| 24 | +++ b/fs/squashfs/sqfs.c | ||
| 25 | @@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, | ||
| 26 | ret = -ENOMEM; | ||
| 27 | goto out; | ||
| 28 | } | ||
| 29 | - /* Concatenate remaining tokens and symlink's target */ | ||
| 30 | - res = malloc(strlen(rem) + strlen(target) + 1); | ||
| 31 | + /* | ||
| 32 | + * Concatenate remaining tokens and symlink's target. | ||
| 33 | + * Allocate enough space for rem, target, '/' and '\0'. | ||
| 34 | + */ | ||
| 35 | + res = malloc(strlen(rem) + strlen(target) + 2); | ||
| 36 | if (!res) { | ||
| 37 | ret = -ENOMEM; | ||
| 38 | goto out; | ||
| 39 | -- | ||
| 40 | 2.34.1 | ||
| 41 | |||
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index cdee9fc721..0ff2477c39 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb | |||
| @@ -18,6 +18,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ | |||
| 18 | file://CVE-2024-57258-1.patch \ | 18 | file://CVE-2024-57258-1.patch \ |
| 19 | file://CVE-2024-57258-2.patch \ | 19 | file://CVE-2024-57258-2.patch \ |
| 20 | file://CVE-2024-57258-3.patch \ | 20 | file://CVE-2024-57258-3.patch \ |
| 21 | file://CVE-2024-57259.patch \ | ||
| 21 | " | 22 | " |
| 22 | 23 | ||
| 23 | DEPENDS += "bc-native dtc-native python3-setuptools-native" | 24 | DEPENDS += "bc-native dtc-native python3-setuptools-native" |
