!60 fix CVE-2022-33967

From: @zhouwenpei Reviewed-by: @t_feng Signed-off-by: @t_feng
2022-07-27 09:08:01 +00:00 · 2022-07-27 09:08:01 +00:00 · abb42317e6
commit abb42317e6
parent a2754156ec bdf67ec58a
2 changed files with 63 additions and 2 deletions
--- a/backport-CVE-2022-33967.patch
+++ b/backport-CVE-2022-33967.patch
@ -0,0 +1,57 @@
+From 7f7fb9937c6cb49dd35153bd6708872b390b0a44 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Mon, 27 Jun 2022 12:20:03 +0200
+Subject: [PATCH] fs/squashfs: Use kcalloc when relevant
+
+A crafted squashfs image could embed a huge number of empty metadata
+blocks in order to make the amount of malloc()'d memory overflow and be
+much smaller than expected. Because of this flaw, any random code
+positioned at the right location in the squashfs image could be memcpy'd
+from the squashfs structures into U-Boot code location while trying to
+access the rearmost blocks, before being executed.
+
+In order to prevent this vulnerability from being exploited in eg. a
+secure boot environment, let's add a check over the amount of data
+that is going to be allocated. Such a check could look like:
+
+if (!elem_size || n > SIZE_MAX / elem_size)
+	return NULL;
+
+The right way to do it would be to enhance the calloc() implementation
+but this is quite an impacting change for such a small fix. Another
+solution would be to add the check before the malloc call in the
+squashfs implementation, but this does not look right. So for now, let's
+use the kcalloc() compatibility function from Linux, which has this
+check.
+
+Fixes: c5100613037 ("fs/squashfs: new filesystem")
+Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
+---
+ fs/squashfs/sqfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 92ab8ac6..60557f4a 100644
+--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
+@@ -13,6 +13,7 @@
+ #include <linux/types.h>
+ #include <linux/byteorder/little_endian.h>
+ #include <linux/byteorder/generic.h>
+#include <linux/compat.h>
+ #include <memalign.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
+ 		goto free_itb;
+ 	}
+ 
+-	*inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE);
+	*inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
+						       GFP_KERNEL);
+ 	if (!*inode_table) {
+ 		ret = -ENOMEM;
+ 		goto free_itb;
+-- 
--- a/uboot-tools.spec
+++ b/uboot-tools.spec
@ -3,7 +3,7 @@

 Name:           uboot-tools
 Version:        2021.10
-Release:        3
+Release:        4
 Summary:        tools for U-Boot
 License:        GPL-2.0-or-later and Public Domain and GPL-2.0-only
 URL:            http://www.denx.de/wiki/U-Boot
@ -20,6 +20,7 @@ Patch6001:      backport-AllWinner-PineTab.patch
 # RPI4
 Patch6002:      backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch
 Patch6003:	backport-CVE-2022-34835.patch
+Patch6004:	backport-CVE-2022-33967.patch

 BuildRequires:  bc dtc gcc make flex bison git-core openssl-devel
 BuildRequires:  python3-unversioned-command python3-devel python3-setuptools
@ -242,7 +243,10 @@ cp -p board/warp7/README builds/docs/README.warp7
 %{_mandir}/man1/mkimage.1*

 %changelog
-* Tue Jul 12 2022 zhouwenpei <zhouwnepei1@h-partners.com> - 2021-10-3
+* Tue Jul 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021-10-4
+- fix CVE-2022-33967
+
+* Tue Jul 12 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021-10-3
 - fix CVE-2022-34835

 * Wed May 11 2022 liuyumeng <liuyumeng5@h-partners.com> - 2021-10-2