2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch
new file mode 100644
index 0000000000..70fdbb1031
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch
@@ -0,0 +1,64 @@
+From 50d4b8b9effcf9dc9e5a90034de2f0003fb063f0 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Mon, 27 Jun 2022 12:20:03 +0200
+Subject: [PATCH] fs/squashfs: Use kcalloc when relevant
+A crafted squashfs image could embed a huge number of empty metadata
+blocks in order to make the amount of malloc()'d memory overflow and be
+much smaller than expected. Because of this flaw, any random code
+positioned at the right location in the squashfs image could be memcpy'd
+from the squashfs structures into U-Boot code location while trying to
+access the rearmost blocks, before being executed.
+In order to prevent this vulnerability from being exploited in eg. a
+secure boot environment, let's add a check over the amount of data
+that is going to be allocated. Such a check could look like:
+if (!elem_size || n > SIZE_MAX / elem_size)
+        return NULL;
+The right way to do it would be to enhance the calloc() implementation
+but this is quite an impacting change for such a small fix. Another
+solution would be to add the check before the malloc call in the
+squashfs implementation, but this does not look right. So for now, let's
+use the kcalloc() compatibility function from Linux, which has this
+check.
+Fixes: c5100613037 ("fs/squashfs: new filesystem")
+Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
+Upstream-Status: Backport [7f7fb9937c6cb49dd35153bd6708872b390b0a44]
+CVE: CVE-2022-33967
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ fs/squashfs/sqfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index e2d91c654c..10e63afbce 100644
+--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
+@@ -13,6 +13,7 @@
+ #include <linux/types.h>
+ #include <linux/byteorder/little_endian.h>
+ #include <linux/byteorder/generic.h>
+#include <linux/compat.h>
+ #include <memalign.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
+                goto free_itb;
+        }
+ 
+-       *inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE);
+       *inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
+                              GFP_KERNEL);
+        if (!*inode_table) {
+                ret = -ENOMEM;
+                goto free_itb;
+-- 
+2.33.0
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index 04f60adaa5..54033698be 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -6,6 +6,7 @@ SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
                   file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \
                   file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
                   file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
+                   file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
                 "
 DEPENDS += "bc-native dtc-native python3-setuptools-native"

diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch new file mode 100644 index 0000000000..70fdbb1031 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-Use-kcalloc-when-relevant.patch
@@ -0,0 +1,64 @@
		1	From 50d4b8b9effcf9dc9e5a90034de2f0003fb063f0 Mon Sep 17 00:00:00 2001
		2	From: Miquel Raynal <miquel.raynal@bootlin.com>
		3	Date: Mon, 27 Jun 2022 12:20:03 +0200
		4	Subject: [PATCH] fs/squashfs: Use kcalloc when relevant
		5
		6	A crafted squashfs image could embed a huge number of empty metadata
		7	blocks in order to make the amount of malloc()'d memory overflow and be
		8	much smaller than expected. Because of this flaw, any random code
		9	positioned at the right location in the squashfs image could be memcpy'd
		10	from the squashfs structures into U-Boot code location while trying to
		11	access the rearmost blocks, before being executed.
		12
		13	In order to prevent this vulnerability from being exploited in eg. a
		14	secure boot environment, let's add a check over the amount of data
		15	that is going to be allocated. Such a check could look like:
		16
		17	if (!elem_size \|\| n > SIZE_MAX / elem_size)
		18	return NULL;
		19
		20	The right way to do it would be to enhance the calloc() implementation
		21	but this is quite an impacting change for such a small fix. Another
		22	solution would be to add the check before the malloc call in the
		23	squashfs implementation, but this does not look right. So for now, let's
		24	use the kcalloc() compatibility function from Linux, which has this
		25	check.
		26
		27	Fixes: c5100613037 ("fs/squashfs: new filesystem")
		28	Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
		29	Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
		30	Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
		31
		32	Upstream-Status: Backport [7f7fb9937c6cb49dd35153bd6708872b390b0a44]
		33	CVE: CVE-2022-33967
		34
		35	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		36	---
		37	fs/squashfs/sqfs.c \| 4 +++-
		38	1 file changed, 3 insertions(+), 1 deletion(-)
		39
		40	diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
		41	index e2d91c654c..10e63afbce 100644
		42	--- a/fs/squashfs/sqfs.c
		43	+++ b/fs/squashfs/sqfs.c
		44	@@ -13,6 +13,7 @@
		45	#include <linux/types.h>
		46	#include <linux/byteorder/little_endian.h>
		47	#include <linux/byteorder/generic.h>
		48	+#include <linux/compat.h>
		49	#include <memalign.h>
		50	#include <stdlib.h>
		51	#include <string.h>
		52	@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
		53	goto free_itb;
		54	}
		55
		56	- inode_table = malloc(metablks_count SQFS_METADATA_BLOCK_SIZE);
		57	+ *inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
		58	+ GFP_KERNEL);
		59	if (!*inode_table) {
		60	ret = -ENOMEM;
		61	goto free_itb;
		62	--
		63	2.33.0
		64


diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index 04f60adaa5..54033698be 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -6,6 +6,7 @@ SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
6	file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \	6	file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \
7	file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \	7	file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
8	file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \	8	file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
		9	file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
9	"	10	"
10		11
11	DEPENDS += "bc-native dtc-native python3-setuptools-native"	12	DEPENDS += "bc-native dtc-native python3-setuptools-native"