From: Richard Weinberger <richard@sigma-star.at>
To: barebox@lists.infradead.org
Subject: Various Squashfs Issues
Date: Tue, 16 Jul 2024 17:49:39 +0200 [thread overview]
Message-ID: <2572594.vzjCzTo3RI@somecomputer> (raw)
Hi!
While inspecting the squashfs implementation of Barebox I noticed
some issues and was able trigger heap corruptions using crafted filesystems.
e.g.
==30712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f07bdaff800 at pc 0x0000004af3e2 bp 0x7ffdf8374a40 sp 0x7ffdf8374a38
WRITE of size 1 at 0x7f07bdaff800 thread T0
#0 0x4af3e1 in __default_memcpy lib/string.c:638
#1 0x534791 in squashfs_copy_data fs/squashfs/cache.c:257
#2 0x534948 in squashfs_read_metadata fs/squashfs/cache.c:299
#3 0x539d46 in squashfs_get_link fs/squashfs/symlink.c:62
#4 0x509153 in get_link fs/fs.c:1919
#5 0x512395 in trailing_symlink fs/fs.c:2230
#6 0x512395 in openat fs/fs.c:2600
#7 0x49926b in barebox_open include/fcntl.h:45
#8 0x49926b in do_cat commands/cat.c:40
#9 0x415e99 in execute_command common/command.c:62
#10 0x40f25e in execute_binfmt common/binfmt.c:67
#11 0x42cef4 in run_pipe_real common/hush.c:845
#12 0x42cef4 in run_list_real common/hush.c:969
#13 0x42b14e in run_list common/hush.c:1107
#14 0x42b14e in parse_stream_outer common/hush.c:1734
#15 0x42db7e in run_shell common/hush.c:1957
#16 0x40a718 in run_init common/startup.c:322
#17 0x40a7f2 in start_barebox common/startup.c:368
#18 0x5490f3 in main (/home/rw/barebox/barebox+0x5490f3)
#19 0x7f07c083e24c in __libc_start_main (/lib64/libc.so.6+0x3524c)
#20 0x406f69 in _start ../sysdeps/x86_64/start.S:120
0x7f07bdaff800 is located 0 bytes to the right of 16777216-byte region [0x7f07bcaff800,0x7f07bdaff800)
allocated by thread T0 here:
#0 0x7f07c0adc110 in malloc (/usr/lib64/libasan.so.4+0xdc110)
#1 0x548e44 in main (/home/rw/barebox/barebox+0x548e44)
#2 0x7f07c083e24c in __libc_start_main (/lib64/libc.so.6+0x3524c)
While implementing fixes for them I realized that these are all known
and fixed in Linux.
I suggest backporting at least these Linux fixes for squashfs:
01cfb7937a9af ("squashfs: be more careful about metadata corruption")
d512584780d3e ("squashfs: more metadata hardening")
cdbb65c4c7ead ("squashfs metadata 2: electric boogaloo")
71755ee5350b6 ("squashfs: more metadata hardening")
a3f94cb99a854 ("Squashfs: Compute expected length from inode size rather than block length")
Thanks,
//richard
--
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y
next reply other threads:[~2024-07-16 15:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 15:49 Richard Weinberger [this message]
2024-07-17 7:36 ` Various Squashfs Issues Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2572594.vzjCzTo3RI@somecomputer \
--to=richard@sigma-star.at \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.