fix CVE-2022-33967

2022-07-27 16:01:15 +08:00 · 2022-07-27 16:01:15 +08:00 · bdf67ec58a
commit bdf67ec58a
parent a2754156ec
2 changed files with 63 additions and 2 deletions
--- a/backport-CVE-2022-33967.patch
+++ b/backport-CVE-2022-33967.patch
@ -0,0 +1,57 @@
 From 7f7fb9937c6cb49dd35153bd6708872b390b0a44 Mon Sep 17 00:00:00 2001
 From: Miquel Raynal <miquel.raynal@bootlin.com>
 Date: Mon, 27 Jun 2022 12:20:03 +0200
 Subject: [PATCH] fs/squashfs: Use kcalloc when relevant
 A crafted squashfs image could embed a huge number of empty metadata
 blocks in order to make the amount of malloc()'d memory overflow and be
 much smaller than expected. Because of this flaw, any random code
 positioned at the right location in the squashfs image could be memcpy'd
 from the squashfs structures into U-Boot code location while trying to
 access the rearmost blocks, before being executed.
 In order to prevent this vulnerability from being exploited in eg. a
 secure boot environment, let's add a check over the amount of data
 that is going to be allocated. Such a check could look like:
 if (!elem_size || n > SIZE_MAX / elem_size)
 	return NULL;
 The right way to do it would be to enhance the calloc() implementation
 but this is quite an impacting change for such a small fix. Another
 solution would be to add the check before the malloc call in the
 squashfs implementation, but this does not look right. So for now, let's
 use the kcalloc() compatibility function from Linux, which has this
 check.
 Fixes: c5100613037 ("fs/squashfs: new filesystem")
 Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
 Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
 Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
 ---
 fs/squashfs/sqfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
 index 92ab8ac6..60557f4a 100644
 --- a/fs/squashfs/sqfs.c
 +++ b/fs/squashfs/sqfs.c
@@ -13,6 +13,7 @@
 #include <linux/types.h>
 #include <linux/byteorder/little_endian.h>
 #include <linux/byteorder/generic.h>
 +#include <linux/compat.h>
 #include <memalign.h>
 #include <stdlib.h>
 #include <string.h>
@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
 		goto free_itb;
 	}
 -	*inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE);
 +	*inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
 +						       GFP_KERNEL);
 	if (!*inode_table) {
 		ret = -ENOMEM;
 		goto free_itb;
 -- 
--- a/uboot-tools.spec
+++ b/uboot-tools.spec
@ -3,7 +3,7 @@
 Name:           uboot-tools
 Version:        2021.10
-Release:        3
+Release:        4
 Summary:        tools for U-Boot
 License:        GPL-2.0-or-later and Public Domain and GPL-2.0-only
 URL:            http://www.denx.de/wiki/U-Boot
@ -20,6 +20,7 @@ Patch6001:      backport-AllWinner-PineTab.patch
 # RPI4
 Patch6002:      backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch
 Patch6003:	backport-CVE-2022-34835.patch
 Patch6004:	backport-CVE-2022-33967.patch
 BuildRequires:  bc dtc gcc make flex bison git-core openssl-devel
 BuildRequires:  python3-unversioned-command python3-devel python3-setuptools
@ -242,7 +243,10 @@ cp -p board/warp7/README builds/docs/README.warp7
 %{_mandir}/man1/mkimage.1*
 %changelog
-* Tue Jul 12 2022 zhouwenpei <zhouwnepei1@h-partners.com> - 2021-10-3
+* Tue Jul 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021-10-4
 - fix CVE-2022-33967
 * Tue Jul 12 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021-10-3
 - fix CVE-2022-34835
 * Wed May 11 2022 liuyumeng <liuyumeng5@h-partners.com> - 2021-10-2