summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2025-02-19 16:18:14 +0800
committerSteve Sakoman <steve@sakoman.com>2025-02-28 06:51:35 -0800
commitfcaac44489a860cfaa852ab0d8f2f831a7349ce5 (patch)
tree388da5fb94b5092eb7d0d0c3640428021ab7f0f8 /meta
parent83e5ad004a73bf735f8e8ee56ccd4788ae35c3db (diff)
downloadpoky-fcaac44489a860cfaa852ab0d8f2f831a7349ce5.tar.gz
u-boot: fix CVE-2024-57254
An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem. https://nvd.nist.gov/vuln/detail/CVE-2024-57254 (From OE-Core rev: 956836ab347e9112be0f8892b1b82c4bcb17990c) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch47
-rw-r--r--meta/recipes-bsp/u-boot/u-boot_2022.01.bb1
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
new file mode 100644
index 0000000000..be00121224
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
@@ -0,0 +1,47 @@
1From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
2From: Richard Weinberger <richard@nod.at>
3Date: Fri, 2 Aug 2024 18:36:45 +0200
4Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
5
6A carefully crafted squashfs filesystem can exhibit an extremly large
7inode size and overflow the calculation in sqfs_inode_size().
8As a consequence, the squashfs driver will read from wrong locations.
9
10Fix by using __builtin_add_overflow() to detect the overflow.
11
12Signed-off-by: Richard Weinberger <richard@nod.at>
13Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
14
15CVE: CVE-2024-57254
16Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
17Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
18---
19 fs/squashfs/sqfs_inode.c | 9 +++++++--
20 1 file changed, 7 insertions(+), 2 deletions(-)
21
22diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
23index d25cfb53..bb3ccd37 100644
24--- a/fs/squashfs/sqfs_inode.c
25+++ b/fs/squashfs/sqfs_inode.c
26@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
27
28 case SQFS_SYMLINK_TYPE:
29 case SQFS_LSYMLINK_TYPE: {
30+ int size;
31+
32 struct squashfs_symlink_inode *symlink =
33 (struct squashfs_symlink_inode *)inode;
34
35- return sizeof(*symlink) +
36- get_unaligned_le32(&symlink->symlink_size);
37+ if (__builtin_add_overflow(sizeof(*symlink),
38+ get_unaligned_le32(&symlink->symlink_size), &size))
39+ return -EINVAL;
40+
41+ return size;
42 }
43
44 case SQFS_BLKDEV_TYPE:
45--
462.34.1
47
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index 62ebe40cb6..d9c6fcb993 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -11,6 +11,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
11 file://CVE-2022-30790.patch \ 11 file://CVE-2022-30790.patch \
12 file://CVE-2022-2347_1.patch \ 12 file://CVE-2022-2347_1.patch \
13 file://CVE-2022-2347_2.patch \ 13 file://CVE-2022-2347_2.patch \
14 file://CVE-2024-57254.patch \
14 " 15 "
15 16
16DEPENDS += "bc-native dtc-native python3-setuptools-native" 17DEPENDS += "bc-native dtc-native python3-setuptools-native"