mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 05:09:24 +00:00
Code Issues Projects Releases Wiki Activity

u-boot: fix CVE-2024-57259

Browse Source 
sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error
and resultant heap memory corruption for squashfs directory listing because the
path separator is not considered in a size calculation.

https://nvd.nist.gov/vuln/detail/CVE-2024-57259

(From OE-Core rev: e4b713ff07695487cc9307ffc3576a11775cde4d)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hongxu Jia
2025-02-19 16:18:19 +08:00
committed by Steve Sakoman
parent 644ddcb993
commit ecd87254c8
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
+41
View File
@@ -0,0 +1,41 @@
From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001
From: Richard Weinberger <richard@nod.at>
Date: Fri, 2 Aug 2024 22:05:09 +0200
Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir()
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
CVE: CVE-2024-57259
Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
fs/squashfs/sqfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index a5b7890e..1bd9b2a4 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
ret = -ENOMEM;
goto out;
}
- /* Concatenate remaining tokens and symlink's target */
- res = malloc(strlen(rem) + strlen(target) + 1);
+ /*
+ * Concatenate remaining tokens and symlink's target.
+ * Allocate enough space for rem, target, '/' and '\0'.
+ */
+ res = malloc(strlen(rem) + strlen(target) + 2);
if (!res) {
ret = -ENOMEM;
goto out;
--
2.34.1
meta/recipes-bsp/u-boot/u-boot_2022.01.bb
+1
View File
@@ -18,6 +18,7 @@ SRC_URI += " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
file://CVE-2024-57258-1.patch \
file://CVE-2024-57258-2.patch \
file://CVE-2024-57258-3.patch \
file://CVE-2024-57259.patch \
"
DEPENDS += "bc-native dtc-native python3-setuptools-native"