From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 06/22] u-boot: fix CVE-2024-57257
Date: Tue, 25 Feb 2025 06:29:41 -0800 [thread overview]
Message-ID: <5ed8ad78bcce836aa8894de7a1d7fdf719e5bbca.1740493685.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1740493685.git.steve@sakoman.com>
From: Hongxu Jia <hongxu.jia@windriver.com>
A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with deep symlink nesting.
https://nvd.nist.gov/vuln/detail/CVE-2024-57257
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-57257.patch | 228 ++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot_2022.01.bb | 1 +
2 files changed, 229 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
new file mode 100644
index 0000000000..5b6cbb8cad
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
@@ -0,0 +1,228 @@
+From 790a2005e7a44dba059f5dbf1b9eff3a13e9b5e7 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Wed, 19 Feb 2025 15:51:53 +0800
+Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving
+
+The squashfs driver blindly follows symlinks, and calls sqfs_size()
+recursively. So an attacker can create a crafted filesystem and with
+a deep enough nesting level a stack overflow can be achieved.
+
+Fix by limiting the nesting level to 8.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57257
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 7f2af8e1f9..09c0911689 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -24,7 +24,12 @@
+ #include "sqfs_filesystem.h"
+ #include "sqfs_utils.h"
+
++#define MAX_SYMLINK_NEST 8
++
+ static struct squashfs_ctxt ctxt;
++static int symlinknest;
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
+
+ static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
+ {
+@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ goto out;
+ }
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, token_list[j]);
+ if (!ret)
+ break;
+@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+
+ /* Check for symbolic link and inode type sanity */
+ if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ ret = -ELOOP;
++ goto out;
++ }
++
+ sym = (struct squashfs_symlink_inode *)table;
+ /* Get first j + 1 tokens */
+ path = sqfs_concat_tokens(token_list, j + 1);
+@@ -872,7 +882,7 @@ out:
+ return metablks_count;
+ }
+
+-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
+ {
+ unsigned char *inode_table = NULL, *dir_table = NULL;
+ int j, token_count = 0, ret = 0, metablks_count;
+@@ -967,7 +977,19 @@ out:
+ return ret;
+ }
+
++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++{
++ symlinknest = 0;
++ return sqfs_opendir_nest(filename, dirsp);
++}
++
+ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
++{
++ symlinknest = 0;
++ return sqfs_readdir_nest(fs_dirs, dentp);
++}
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+ {
+ struct squashfs_super_block *sblk = ctxt.sblk;
+ struct squashfs_dir_stream *dirs;
+@@ -1311,8 +1333,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
+ return datablk_count;
+ }
+
+-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+- loff_t *actread)
++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
++ loff_t len, loff_t *actread)
+ {
+ char *dir = NULL, *fragment_block, *datablock = NULL, *data_buffer = NULL;
+ char *fragment = NULL, *file = NULL, *resolved, *data;
+@@ -1342,11 +1364,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ }
+
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+ sqfs_split_path(&file, &dir, filename);
+- ret = sqfs_opendir(dir, &dirsp);
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ goto out;
+ }
+@@ -1354,7 +1376,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+ /* For now, only regular files are able to be loaded */
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1403,9 +1425,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ break;
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE:
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ ret = -ELOOP;
++ goto out;
++ }
++
+ symlink = (struct squashfs_symlink_inode *)ipos;
+ resolved = sqfs_resolve_symlink(symlink, filename);
+- ret = sqfs_read(resolved, buf, offset, len, actread);
++ ret = sqfs_read_nest(resolved, buf, offset, len, actread);
+ free(resolved);
+ goto out;
+ case SQFS_BLKDEV_TYPE:
+@@ -1579,7 +1606,14 @@ out:
+ return ret;
+ }
+
+-int sqfs_size(const char *filename, loff_t *size)
++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
++ loff_t *actread)
++{
++ symlinknest = 0;
++ return sqfs_read_nest(filename, buf, offset, len, actread);
++}
++
++static int sqfs_size_nest(const char *filename, loff_t *size)
+ {
+ struct squashfs_super_block *sblk = ctxt.sblk;
+ struct squashfs_symlink_inode *symlink;
+@@ -1595,10 +1629,10 @@ int sqfs_size(const char *filename, loff_t *size)
+
+ sqfs_split_path(&file, &dir, filename);
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+- ret = sqfs_opendir(dir, &dirsp);
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ ret = -EINVAL;
+ goto free_strings;
+@@ -1606,7 +1640,7 @@ int sqfs_size(const char *filename, loff_t *size)
+
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1639,6 +1673,11 @@ int sqfs_size(const char *filename, loff_t *size)
+ break;
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE:
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ *size = 0;
++ return -ELOOP;
++ }
++
+ symlink = (struct squashfs_symlink_inode *)ipos;
+ resolved = sqfs_resolve_symlink(symlink, filename);
+ ret = sqfs_size(resolved, size);
+@@ -1678,10 +1717,11 @@ int sqfs_exists(const char *filename)
+
+ sqfs_split_path(&file, &dir, filename);
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+- ret = sqfs_opendir(dir, &dirsp);
++ symlinknest = 0;
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ ret = -EINVAL;
+ goto free_strings;
+@@ -1689,7 +1729,7 @@ int sqfs_exists(const char *filename)
+
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1706,6 +1746,12 @@ free_strings:
+ return ret == 0;
+ }
+
++int sqfs_size(const char *filename, loff_t *size)
++{
++ symlinknest = 0;
++ return sqfs_size_nest(filename, size);
++}
++
+ void sqfs_close(void)
+ {
+ sqfs_decompressor_cleanup(&ctxt);
+--
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
index c643fb35f3..c68e3e442f 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2022.01.bb
@@ -14,6 +14,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2024-57254.patch \
file://CVE-2024-57255.patch \
file://CVE-2024-57256.patch \
+ file://CVE-2024-57257.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"
--
2.43.0
next prev parent reply other threads:[~2025-02-25 14:30 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-25 14:29 [OE-core][kirkstone 00/22] Patch review Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 01/22] u-boot: Fix CVE-2022-30767 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 02/22] u-boot: fix CVE-2022-2347 and CVE-2022-30790 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 03/22] u-boot: fix CVE-2024-57254 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 04/22] u-boot: fix CVE-2024-57255 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 05/22] u-boot: fix CVE-2024-57256 Steve Sakoman
2025-02-25 14:29 ` Steve Sakoman [this message]
2025-02-25 14:29 ` [OE-core][kirkstone 07/22] u-boot: fix CVE-2024-57258 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 08/22] u-boot: fix CVE-2024-57259 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 09/22] Revert "ovmf: Fix CVE-2023-45237" Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 10/22] Revert "ovmf: Fix CVE-2023-45236" Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 11/22] libxml2: fix compilation of explicit child axis in pattern Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 12/22] libxml2: patch CVE-2024-56171 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 13/22] libxml2: patch CVE-2025-24928 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 14/22] libcap: fix CVE-2025-1390 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 15/22] ffmpeg: ignore 5 CVEs Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 16/22] ffmpeg: ignore CVE-2024-7272 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 17/22] gstreamer1.0-rtsp-server: fix CVE-2024-44331 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 18/22] ffmpeg: fix CVE-2024-36618 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 19/22] ffmpeg: fix CVE-2024-28661 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 20/22] ffmpeg: fix CVE-2024-35369 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 21/22] ffmpeg: fix CVE-2025-25473 Steve Sakoman
2025-02-25 14:29 ` [OE-core][kirkstone 22/22] vim: Upgrade 9.1.0764 -> 9.1.1043 Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ed8ad78bcce836aa8894de7a1d7fdf719e5bbca.1740493685.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox