summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2025-02-19 16:18:19 +0800
committerSteve Sakoman <steve@sakoman.com>2025-02-28 06:51:35 -0800
commitecd87254c8658201fc912792c9490797df1c5b7c (patch)
treed455a006b0300b03d1c7c98dde059984569b41ab /meta
parent644ddcb99343f0d7701a18c092ea2b2a05f2891b (diff)
downloadpoky-ecd87254c8658201fc912792c9490797df1c5b7c.tar.gz
u-boot: fix CVE-2024-57259
sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation. https://nvd.nist.gov/vuln/detail/CVE-2024-57259 (From OE-Core rev: e4b713ff07695487cc9307ffc3576a11775cde4d) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch41
-rw-r--r--meta/recipes-bsp/u-boot/u-boot_2022.01.bb1
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
new file mode 100644
index 0000000000..fdf5fdfce4
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
@@ -0,0 +1,41 @@
1From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001
2From: Richard Weinberger <richard@nod.at>
3Date: Fri, 2 Aug 2024 22:05:09 +0200
4Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir()
5
6res needs to be large enough to store both strings rem and target,
7plus the path separator and the terminator.
8Currently the space for the path separator is not accounted, so
9the heap is corrupted by one byte.
10
11Signed-off-by: Richard Weinberger <richard@nod.at>
12Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
13
14CVE: CVE-2024-57259
15Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e]
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17---
18 fs/squashfs/sqfs.c | 7 +++++--
19 1 file changed, 5 insertions(+), 2 deletions(-)
20
21diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
22index a5b7890e..1bd9b2a4 100644
23--- a/fs/squashfs/sqfs.c
24+++ b/fs/squashfs/sqfs.c
25@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
26 ret = -ENOMEM;
27 goto out;
28 }
29- /* Concatenate remaining tokens and symlink's target */
30- res = malloc(strlen(rem) + strlen(target) + 1);
31+ /*
32+ * Concatenate remaining tokens and symlink's target.
33+ * Allocate enough space for rem, target, '/' and '\0'.
34+ */
35+ res = malloc(strlen(rem) + strlen(target) + 2);
36 if (!res) {
37 ret = -ENOMEM;
38 goto out;
39--
402.34.1
41
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index cdee9fc721..0ff2477c39 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -18,6 +18,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
18 file://CVE-2024-57258-1.patch \ 18 file://CVE-2024-57258-1.patch \
19 file://CVE-2024-57258-2.patch \ 19 file://CVE-2024-57258-2.patch \
20 file://CVE-2024-57258-3.patch \ 20 file://CVE-2024-57258-3.patch \
21 file://CVE-2024-57259.patch \
21 " 22 "
22 23
23DEPENDS += "bc-native dtc-native python3-setuptools-native" 24DEPENDS += "bc-native dtc-native python3-setuptools-native"