diff options
| author | Hongxu Jia <hongxu.jia@windriver.com> | 2025-02-19 16:18:18 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-02-28 06:51:35 -0800 |
| commit | 644ddcb99343f0d7701a18c092ea2b2a05f2891b (patch) | |
| tree | 00e3ecf051c7fc8ae14e096de349ae491c12a364 /meta | |
| parent | 86f0ab4d07f2948abda527d7361b3819676ea41f (diff) | |
| download | poky-644ddcb99343f0d7701a18c092ea2b2a05f2891b.tar.gz | |
u-boot: fix CVE-2024-57258
Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1
occur for a crafted squashfs filesystem via sbrk, via request2size,
or because ptrdiff_t is mishandled on x86_64.
https://nvd.nist.gov/vuln/detail/CVE-2024-57258
(From OE-Core rev: b4bf3ba66052db7a311ac696563a8a0f9c585600)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch | 47 | ||||
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch | 43 | ||||
| -rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch | 40 | ||||
| -rw-r--r-- | meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 3 |
4 files changed, 133 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch new file mode 100644 index 0000000000..d33a4260ba --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Richard Weinberger <richard@nod.at> | ||
| 3 | Date: Fri, 2 Aug 2024 12:08:45 +0200 | ||
| 4 | Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk() | ||
| 5 | |||
| 6 | Make sure that the new break is within mem_malloc_start | ||
| 7 | and mem_malloc_end before making progress. | ||
| 8 | ulong new = old + increment; can overflow for extremely large | ||
| 9 | increment values and memset() can get wrongly called. | ||
| 10 | |||
| 11 | Signed-off-by: Richard Weinberger <richard@nod.at> | ||
| 12 | Reviewed-by: Simon Glass <sjg@chromium.org> | ||
| 13 | |||
| 14 | CVE: CVE-2024-57258 | ||
| 15 | Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3] | ||
| 16 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 17 | --- | ||
| 18 | common/dlmalloc.c | 6 +++--- | ||
| 19 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/common/dlmalloc.c b/common/dlmalloc.c | ||
| 22 | index de3f0422..bae2a27c 100644 | ||
| 23 | --- a/common/dlmalloc.c | ||
| 24 | +++ b/common/dlmalloc.c | ||
| 25 | @@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment) | ||
| 26 | ulong old = mem_malloc_brk; | ||
| 27 | ulong new = old + increment; | ||
| 28 | |||
| 29 | + if ((new < mem_malloc_start) || (new > mem_malloc_end)) | ||
| 30 | + return (void *)MORECORE_FAILURE; | ||
| 31 | + | ||
| 32 | /* | ||
| 33 | * if we are giving memory back make sure we clear it out since | ||
| 34 | * we set MORECORE_CLEARS to 1 | ||
| 35 | @@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment) | ||
| 36 | if (increment < 0) | ||
| 37 | memset((void *)new, 0, -increment); | ||
| 38 | |||
| 39 | - if ((new < mem_malloc_start) || (new > mem_malloc_end)) | ||
| 40 | - return (void *)MORECORE_FAILURE; | ||
| 41 | - | ||
| 42 | mem_malloc_brk = new; | ||
| 43 | |||
| 44 | return (void *)old; | ||
| 45 | -- | ||
| 46 | 2.34.1 | ||
| 47 | |||
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch new file mode 100644 index 0000000000..688e2c64d8 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Richard Weinberger <richard@nod.at> | ||
| 3 | Date: Fri, 2 Aug 2024 12:08:44 +0200 | ||
| 4 | Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size() | ||
| 5 | |||
| 6 | req is of type size_t, casting it to long opens the door | ||
| 7 | for an integer overflow. | ||
| 8 | Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX | ||
| 9 | cause and overflow such that request2size() returns MINSIZE. | ||
| 10 | |||
| 11 | Fix by removing the cast. | ||
| 12 | The origin of the cast is unclear, it's in u-boot and ppcboot since ever | ||
| 13 | and predates the CVS history. | ||
| 14 | Doug Lea's original dlmalloc implementation also doesn't have it. | ||
| 15 | |||
| 16 | Signed-off-by: Richard Weinberger <richard@nod.at> | ||
| 17 | Reviewed-by: Simon Glass <sjg@chromium.org> | ||
| 18 | |||
| 19 | CVE: CVE-2024-57258 | ||
| 20 | Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f] | ||
| 21 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 22 | --- | ||
| 23 | common/dlmalloc.c | 4 ++-- | ||
| 24 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/common/dlmalloc.c b/common/dlmalloc.c | ||
| 27 | index bae2a27c..1ac4ee9f 100644 | ||
| 28 | --- a/common/dlmalloc.c | ||
| 29 | +++ b/common/dlmalloc.c | ||
| 30 | @@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||
| 31 | /* pad request bytes into a usable size */ | ||
| 32 | |||
| 33 | #define request2size(req) \ | ||
| 34 | - (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ | ||
| 35 | - (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ | ||
| 36 | + ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ | ||
| 37 | + (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ | ||
| 38 | (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) | ||
| 39 | |||
| 40 | /* Check if m has acceptable alignment */ | ||
| 41 | -- | ||
| 42 | 2.34.1 | ||
| 43 | |||
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch new file mode 100644 index 0000000000..2c8a7c9d91 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Richard Weinberger <richard@nod.at> | ||
| 3 | Date: Fri, 2 Aug 2024 12:08:43 +0200 | ||
| 4 | Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64 | ||
| 5 | |||
| 6 | sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap | ||
| 7 | by LONG_MIN/LONG_MAX. | ||
| 8 | So, use the long type, also to match the rest of the Linux ecosystem. | ||
| 9 | |||
| 10 | Signed-off-by: Richard Weinberger <richard@nod.at> | ||
| 11 | Reviewed-by: Simon Glass <sjg@chromium.org> | ||
| 12 | |||
| 13 | CVE: CVE-2024-57258 | ||
| 14 | Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0] | ||
| 15 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 16 | --- | ||
| 17 | arch/x86/include/asm/posix_types.h | 3 ++- | ||
| 18 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 19 | |||
| 20 | diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h | ||
| 21 | index dbcea7f4..e1ed9bca 100644 | ||
| 22 | --- a/arch/x86/include/asm/posix_types.h | ||
| 23 | +++ b/arch/x86/include/asm/posix_types.h | ||
| 24 | @@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t; | ||
| 25 | #if defined(__x86_64__) | ||
| 26 | typedef unsigned long __kernel_size_t; | ||
| 27 | typedef long __kernel_ssize_t; | ||
| 28 | +typedef long __kernel_ptrdiff_t; | ||
| 29 | #else | ||
| 30 | typedef unsigned int __kernel_size_t; | ||
| 31 | typedef int __kernel_ssize_t; | ||
| 32 | -#endif | ||
| 33 | typedef int __kernel_ptrdiff_t; | ||
| 34 | +#endif | ||
| 35 | typedef long __kernel_time_t; | ||
| 36 | typedef long __kernel_suseconds_t; | ||
| 37 | typedef long __kernel_clock_t; | ||
| 38 | -- | ||
| 39 | 2.34.1 | ||
| 40 | |||
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index c68e3e442f..cdee9fc721 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb | |||
| @@ -15,6 +15,9 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \ | |||
| 15 | file://CVE-2024-57255.patch \ | 15 | file://CVE-2024-57255.patch \ |
| 16 | file://CVE-2024-57256.patch \ | 16 | file://CVE-2024-57256.patch \ |
| 17 | file://CVE-2024-57257.patch \ | 17 | file://CVE-2024-57257.patch \ |
| 18 | file://CVE-2024-57258-1.patch \ | ||
| 19 | file://CVE-2024-57258-2.patch \ | ||
| 20 | file://CVE-2024-57258-3.patch \ | ||
| 18 | " | 21 | " |
| 19 | 22 | ||
| 20 | DEPENDS += "bc-native dtc-native python3-setuptools-native" | 23 | DEPENDS += "bc-native dtc-native python3-setuptools-native" |
