2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch
new file mode 100644
index 0000000000..b1650f6baa
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch
@@ -0,0 +1,80 @@
+From 65f1066f5abe291c7b10b6075fd60776074a38a9 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Thu, 9 Jun 2022 16:02:06 +0200
+Subject: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution
+Following Jincheng's report, an out-of-band write leading to arbitrary
+code execution is possible because on one side the squashfs logic
+accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
+accepts directory names up to 255 bytes long.
+Prevent such an exploit from happening by capping directory name sizes
+to 255. Use a define for this purpose so that developers can link the
+limitation to its source and eventually kill it some day by dynamically
+allocating this array (if ever desired).
+Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
+Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
+CVE: CVE-2022-33103
+Upstream-Status: Backport [2ac0baab4aff1a0b45067d0b62f00c15f4e86856]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ fs/squashfs/sqfs.c | 8 +++++---
+ include/fs.h       | 4 +++-
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index e2d91c654c..a145d754cc 100644
+--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
+@@ -973,6 +973,7 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+        int i_number, offset = 0, ret;
+        struct fs_dirent *dent;
+        unsigned char *ipos;
+       u16 name_size;
+ 
+        dirs = (struct squashfs_dir_stream *)fs_dirs;
+        if (!dirs->size) {
+@@ -1055,9 +1056,10 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+                return -SQFS_STOP_READDIR;
+        }
+ 
+-       /* Set entry name */
+-       strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
+-       dent->name[dirs->entry->name_size + 1] = '\0';
+       /* Set entry name (capped at FS_DIRENT_NAME_LEN which is a U-Boot limitation) */
+       name_size = min_t(u16, dirs->entry->name_size + 1, FS_DIRENT_NAME_LEN - 1);
+       strncpy(dent->name, dirs->entry->name, name_size);
+       dent->name[name_size] = '\0';
+ 
+        offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
+        dirs->entry_count--;
+diff --git a/include/fs.h b/include/fs.h
+index 1c79e299fd..6cb7ec89f4 100644
+--- a/include/fs.h
+++ b/include/fs.h
+@@ -161,6 +161,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len,
+ #define FS_DT_REG  8         /* regular file */
+ #define FS_DT_LNK  10        /* symbolic link */
+ 
+#define FS_DIRENT_NAME_LEN 256
+
+ /**
+  * struct fs_dirent - directory entry
+  *
+@@ -181,7 +183,7 @@ struct fs_dirent {
+        /** change_time:        time of last modification */
+        struct rtc_time change_time;
+        /** name:               file name */
+-       char name[256];
+       char name[FS_DIRENT_NAME_LEN];
+ };
+ 
+ /* Note: fs_dir_stream should be treated as opaque to the user of fs layer */
+-- 
+2.33.0
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index f2443723e2..a6a15d698f 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -4,6 +4,7 @@ require u-boot.inc
 SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
                   file://0001-riscv-fix-build-with-binutils-2.38.patch \
                   file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \
+                   file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
                 "
 DEPENDS += "bc-native dtc-native python3-setuptools-native"

diff --git a/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch new file mode 100644 index 0000000000..b1650f6baa --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch
@@ -0,0 +1,80 @@
		1	From 65f1066f5abe291c7b10b6075fd60776074a38a9 Mon Sep 17 00:00:00 2001
		2	From: Miquel Raynal <miquel.raynal@bootlin.com>
		3	Date: Thu, 9 Jun 2022 16:02:06 +0200
		4	Subject: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution
		5
		6	Following Jincheng's report, an out-of-band write leading to arbitrary
		7	code execution is possible because on one side the squashfs logic
		8	accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
		9	accepts directory names up to 255 bytes long.
		10
		11	Prevent such an exploit from happening by capping directory name sizes
		12	to 255. Use a define for this purpose so that developers can link the
		13	limitation to its source and eventually kill it some day by dynamically
		14	allocating this array (if ever desired).
		15
		16	Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
		17	Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
		18	Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
		19	Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
		20
		21	CVE: CVE-2022-33103
		22	Upstream-Status: Backport [2ac0baab4aff1a0b45067d0b62f00c15f4e86856]
		23
		24	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		25	---
		26	fs/squashfs/sqfs.c \| 8 +++++---
		27	include/fs.h \| 4 +++-
		28	2 files changed, 8 insertions(+), 4 deletions(-)
		29
		30	diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
		31	index e2d91c654c..a145d754cc 100644
		32	--- a/fs/squashfs/sqfs.c
		33	+++ b/fs/squashfs/sqfs.c
		34	@@ -973,6 +973,7 @@ int sqfs_readdir(struct fs_dir_stream fs_dirs, struct fs_dirent *dentp)
		35	int i_number, offset = 0, ret;
		36	struct fs_dirent *dent;
		37	unsigned char *ipos;
		38	+ u16 name_size;
		39
		40	dirs = (struct squashfs_dir_stream *)fs_dirs;
		41	if (!dirs->size) {
		42	@@ -1055,9 +1056,10 @@ int sqfs_readdir(struct fs_dir_stream fs_dirs, struct fs_dirent *dentp)
		43	return -SQFS_STOP_READDIR;
		44	}
		45
		46	- /* Set entry name */
		47	- strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
		48	- dent->name[dirs->entry->name_size + 1] = '\0';
		49	+ /* Set entry name (capped at FS_DIRENT_NAME_LEN which is a U-Boot limitation) */
		50	+ name_size = min_t(u16, dirs->entry->name_size + 1, FS_DIRENT_NAME_LEN - 1);
		51	+ strncpy(dent->name, dirs->entry->name, name_size);
		52	+ dent->name[name_size] = '\0';
		53
		54	offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
		55	dirs->entry_count--;
		56	diff --git a/include/fs.h b/include/fs.h
		57	index 1c79e299fd..6cb7ec89f4 100644
		58	--- a/include/fs.h
		59	+++ b/include/fs.h
		60	@@ -161,6 +161,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len,
		61	#define FS_DT_REG 8 /* regular file */
		62	#define FS_DT_LNK 10 /* symbolic link */
		63
		64	+#define FS_DIRENT_NAME_LEN 256
		65	+
		66	/**
		67	* struct fs_dirent - directory entry
		68	*
		69	@@ -181,7 +183,7 @@ struct fs_dirent {
		70	/** change_time: time of last modification */
		71	struct rtc_time change_time;
		72	/** name: file name */
		73	- char name[256];
		74	+ char name[FS_DIRENT_NAME_LEN];
		75	};
		76
		77	/* Note: fs_dir_stream should be treated as opaque to the user of fs layer */
		78	--
		79	2.33.0
		80


diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb index f2443723e2..a6a15d698f 100644 --- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb +++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -4,6 +4,7 @@ require u-boot.inc
4	SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \	4	SRC_URI:append = " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
5	file://0001-riscv-fix-build-with-binutils-2.38.patch \	5	file://0001-riscv-fix-build-with-binutils-2.38.patch \
6	file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \	6	file://0001-i2c-fix-stack-buffer-overflow-vulnerability-in-i2c-m.patch \
		7	file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
7	"	8	"
8		9
9	DEPENDS += "bc-native dtc-native python3-setuptools-native"	10	DEPENDS += "bc-native dtc-native python3-setuptools-native"