From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 73B59C433EF
	for <u-boot@archiver.kernel.org>; Wed,  8 Jun 2022 07:39:29 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id A1BF6842B6;
	Wed,  8 Jun 2022 09:39:26 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=bootlin.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=bootlin.com header.i=@bootlin.com header.b="DseEp3lm";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id C76F283FC8; Wed,  8 Jun 2022 09:39:23 +0200 (CEST)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [IPv6:2001:4b98:dc4:8::224])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 8893B83FC8
 for <u-boot@lists.denx.de>; Wed,  8 Jun 2022 09:39:19 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=bootlin.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=miquel.raynal@bootlin.com
Received: (Authenticated sender: miquel.raynal@bootlin.com)
 by mail.gandi.net (Postfix) with ESMTPSA id A22CAE000D;
 Wed,  8 Jun 2022 07:39:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1;
 t=1654673959;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=FbvZ+V7thbaMRJgYLsWX+RV7aX1p482IV6wSYFkHbxU=;
 b=DseEp3lmAlPf6SoGU2BKbjxR3rC3iZ/8APJyuqxlYez7zcZkRJ+68RDA0VBa3EbSFz++Cy
 vgTOmi86sgcar+uPtv/bmhutTI8ps1tHq0vHBAewXV1H3MPVjxNW5FnXZO/DHvPkf5e5y8
 twS4V+G1fWMuUEvK2prWquMbD8lqMAeZSgJgaS2HhCEDNTU8QvAX/hOtSxMqpd+eokVg0b
 G+fALaxG1LmySELviTAODDGAmeh/L6HnpjbSDKvY8uuQ9zOF6yB7eBPwCUy/L686HpePx+
 TPhDn42M0DBGITZmzs25P+YxdiIIvm/Y8jd7T/s/fkWf4t7+URfH+iLQpC0IrQ==
Date: Wed, 8 Jun 2022 09:39:16 +0200
From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Jincheng Wang <jc.w4ng@gmail.com>
Cc: Tom Rini <trini@konsulko.com>, joaomarcos.costa@bootlin.com,
 thomas.petazzoni@bootlin.com, u-boot@lists.denx.de
Subject: Re: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution
Message-ID: <20220608093916.3ab39f04@xps-13>
In-Reply-To: <CALO=DHH2YhSM4icm2gm8=kun=fydnE06tY66dRGiUnoafPfMaA@mail.gmail.com>
References: <20220603152653.629591-1-miquel.raynal@bootlin.com>
 <CALO=DHG7e2V42R_aZsUEzvonaP5paOugzQ-e0yfiu0-Sh2oSTQ@mail.gmail.com>
 <20220607134326.GN1958597@bill-the-cat>
 <CALO=DHH2YhSM4icm2gm8=kun=fydnE06tY66dRGiUnoafPfMaA@mail.gmail.com>
Organization: Bootlin
X-Mailer: Claws Mail 4.0.0 (GTK+ 3.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Hi Jincheng,

jc.w4ng@gmail.com wrote on Wed, 8 Jun 2022 11:37:13 +0800:

> To be honest, I don't have experience....
>=20
> Reference to the article "
> https://events19.linuxfoundation.org/wp-content/uploads/2018/07/may_be_ma=
intainer-2.pdf"
> , I tried to do some work.
>=20
> 1. checkpatch  (=E2=88=9A)
> 2. no new compile warnings (=E2=88=9A)
> 3. if bug fix, verify the bug is fixed (=E2=88=9A)
>      I tried some vul-samples, and the patch solved them well.
> 4. if new feature, feature matches documentation (=C3=97)
>      I try some normal samples, and there is a bug. The dir name or
> filename loses a byte. You can use the attachment to check it.
>      I use command " mksquashfs $dir normal.sqfs -noI -noD -noF -noX" to
> create the squashfs sample.

What we are asking for is just you replying plain text to this thread
with this line: "Tested-by: <you> <youraddress>"

This "tag" will automatically be picked-up by the tools used by the
maintainers when applying the patch, to trace who did what.

>=20
>=20
> ```before patch
> =3D> ls host 0 =20
> BTRFS: superblock end 69632 is larger than device size 4096
> BTRFS: superblock end 69632 is larger than device size 4096
>        11   hello
> BTRFS: superblock end 69632 is larger than device size 4096
> BTRFS: superblock end 69632 is larger than device size 4096
> 1 file(s), 0 dir(s)
> ```
>=20
>=20
> ```after patch
> =3D> ls host 0 =20
> BTRFS: superblock end 69632 is larger than device size 4096
> BTRFS: superblock end 69632 is larger than device size 4096
>        11   hell
> BTRFS: superblock end 69632 is larger than device size 4096
> BTRFS: superblock end 69632 is larger than device size 4096
>=20
> 1 file(s), 0 dir(s)
>  ```
>=20
>=20
>=20
>=20
>=20
>=20
> Tom Rini <trini@konsulko.com> =E4=BA=8E2022=E5=B9=B46=E6=9C=887=E6=97=A5=
=E5=91=A8=E4=BA=8C 21:43=E5=86=99=E9=81=93=EF=BC=9A
>=20
> > On Tue, Jun 07, 2022 at 06:00:38PM +0800, Jincheng Wang wrote:
> > =20
> > > It works well, thanks for your work. =20
> >
> > Can you please provide a Tested-by?  Thanks!
> > =20
> > >
> > >
> > > Miquel Raynal <miquel.raynal@bootlin.com> =E4=BA=8E2022=E5=B9=B46=E6=
=9C=883=E6=97=A5=E5=91=A8=E4=BA=94 23:26=E5=86=99=E9=81=93=EF=BC=9A =20
> > > >
> > > > Following Jincheng's report, an out-of-band write leading to arbitr=
ary
> > > > code execution is possible because on one side the squashfs logic
> > > > accepts directory names up to 65535 bytes (u16), while U-Boot fs lo=
gic
> > > > accepts directory names up to 255 bytes long.
> > > >
> > > > Prevent such an exploit from happening by capping directory name si=
zes
> > > > to 255. Use a define for this purpose so that developers can link t=
he
> > > > limitation to its source and eventually kill it some day by dynamic=
ally
> > > > allocating this array (if ever desired).
> > > >
> > > > Link: =20
> > https://lore.kernel.org/all/CALO=3DDHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72k=
jbcS8JBfPw@mail.gmail.com =20
> > > > Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
> > > > Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
> > > > ---
> > > >
> > > > Hello Jincheng, can you please give this fix a try?
> > > >
> > > > Thanks!
> > > > Miqu=C3=A8l
> > > >
> > > >  fs/squashfs/sqfs.c | 8 +++++---
> > > >  include/fs.h       | 4 +++-
> > > >  2 files changed, 8 insertions(+), 4 deletions(-)
> > > >
> > > > diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> > > > index b4484fa17f5..ee6ac8b3e4d 100644
> > > > --- a/fs/squashfs/sqfs.c
> > > > +++ b/fs/squashfs/sqfs.c
> > > > @@ -976,6 +976,7 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs,=
 =20
> > struct fs_dirent **dentp) =20
> > > >         int i_number, offset =3D 0, ret;
> > > >         struct fs_dirent *dent;
> > > >         unsigned char *ipos;
> > > > +       u16 name_size;
> > > >
> > > >         dirs =3D (struct squashfs_dir_stream *)fs_dirs;
> > > >         if (!dirs->size) {
> > > > @@ -1058,9 +1059,10 @@ int sqfs_readdir(struct fs_dir_stream *fs_di=
rs, =20
> > struct fs_dirent **dentp) =20
> > > >                 return -SQFS_STOP_READDIR;
> > > >         }
> > > >
> > > > -       /* Set entry name */
> > > > -       strncpy(dent->name, dirs->entry->name, dirs->entry->name_si=
ze =20
> > + 1); =20
> > > > -       dent->name[dirs->entry->name_size + 1] =3D '\0';
> > > > +       /* Set entry name (capped at FS_DIRENT_NAME_LEN which is a =
=20
> > U-Boot limitation) */ =20
> > > > +       name_size =3D min_t(u16, dirs->entry->name_size, =20
> > FS_DIRENT_NAME_LEN - 1); =20
> > > > +       strncpy(dent->name, dirs->entry->name, name_size);
> > > > +       dent->name[name_size] =3D '\0';
> > > >
> > > >         offset =3D dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LEN=
GTH;
> > > >         dirs->entry_count--;
> > > > diff --git a/include/fs.h b/include/fs.h
> > > > index b43f16a692f..2195dc172ec 100644
> > > > --- a/include/fs.h
> > > > +++ b/include/fs.h
> > > > @@ -174,6 +174,8 @@ int fs_write(const char *filename, ulong addr, =
=20
> > loff_t offset, loff_t len, =20
> > > >  #define FS_DT_REG  8         /* regular file */
> > > >  #define FS_DT_LNK  10        /* symbolic link */
> > > >
> > > > +#define FS_DIRENT_NAME_LEN 256
> > > > +
> > > >  /**
> > > >   * struct fs_dirent - directory entry
> > > >   *
> > > > @@ -194,7 +196,7 @@ struct fs_dirent {
> > > >         /** change_time:        time of last modification */
> > > >         struct rtc_time change_time;
> > > >         /** name:               file name */
> > > > -       char name[256];
> > > > +       char name[FS_DIRENT_NAME_LEN];
> > > >  };
> > > >
> > > >  /* Note: fs_dir_stream should be treated as opaque to the user of =
fs =20
> > layer */ =20
> > > > --
> > > > 2.34.1
> > > > =20
> >
> > --
> > Tom
> > =20


Thanks,
Miqu=C3=A8l