fix CVE-2022-33967
This commit is contained in:
zhouwenpei
parent
a2754156ec
commit
bdf67ec58a
57
backport-CVE-2022-33967.patch
Normal file
57
backport-CVE-2022-33967.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 7f7fb9937c6cb49dd35153bd6708872b390b0a44 Mon Sep 17 00:00:00 2001
|
||||
From: Miquel Raynal <miquel.raynal@bootlin.com>
|
||||
Date: Mon, 27 Jun 2022 12:20:03 +0200
|
||||
Subject: [PATCH] fs/squashfs: Use kcalloc when relevant
|
||||
|
||||
A crafted squashfs image could embed a huge number of empty metadata
|
||||
blocks in order to make the amount of malloc()'d memory overflow and be
|
||||
much smaller than expected. Because of this flaw, any random code
|
||||
positioned at the right location in the squashfs image could be memcpy'd
|
||||
from the squashfs structures into U-Boot code location while trying to
|
||||
access the rearmost blocks, before being executed.
|
||||
|
||||
In order to prevent this vulnerability from being exploited in eg. a
|
||||
secure boot environment, let's add a check over the amount of data
|
||||
that is going to be allocated. Such a check could look like:
|
||||
|
||||
if (!elem_size || n > SIZE_MAX / elem_size)
|
||||
return NULL;
|
||||
|
||||
The right way to do it would be to enhance the calloc() implementation
|
||||
but this is quite an impacting change for such a small fix. Another
|
||||
solution would be to add the check before the malloc call in the
|
||||
squashfs implementation, but this does not look right. So for now, let's
|
||||
use the kcalloc() compatibility function from Linux, which has this
|
||||
check.
|
||||
|
||||
Fixes: c5100613037 ("fs/squashfs: new filesystem")
|
||||
Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
|
||||
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
|
||||
Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
|
||||
---
|
||||
fs/squashfs/sqfs.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
|
||||
index 92ab8ac6..60557f4a 100644
|
||||
--- a/fs/squashfs/sqfs.c
|
||||
+++ b/fs/squashfs/sqfs.c
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <linux/types.h>
|
||||
#include <linux/byteorder/little_endian.h>
|
||||
#include <linux/byteorder/generic.h>
|
||||
+#include <linux/compat.h>
|
||||
#include <memalign.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
|
||||
goto free_itb;
|
||||
}
|
||||
|
||||
- *inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE);
|
||||
+ *inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
|
||||
+ GFP_KERNEL);
|
||||
if (!*inode_table) {
|
||||
ret = -ENOMEM;
|
||||
goto free_itb;
|
||||
--
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: uboot-tools
|
||||
Version: 2021.10
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: tools for U-Boot
|
||||
License: GPL-2.0-or-later and Public Domain and GPL-2.0-only
|
||||
URL: http://www.denx.de/wiki/U-Boot
|
||||
@ -20,6 +20,7 @@ Patch6001: backport-AllWinner-PineTab.patch
|
||||
# RPI4
|
||||
Patch6002: backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch
|
||||
Patch6003: backport-CVE-2022-34835.patch
|
||||
Patch6004: backport-CVE-2022-33967.patch
|
||||
|
||||
BuildRequires: bc dtc gcc make flex bison git-core openssl-devel
|
||||
BuildRequires: python3-unversioned-command python3-devel python3-setuptools
|
||||
@ -242,7 +243,10 @@ cp -p board/warp7/README builds/docs/README.warp7
|
||||
%{_mandir}/man1/mkimage.1*
|
||||
|
||||
%changelog
|
||||
* Tue Jul 12 2022 zhouwenpei <zhouwnepei1@h-partners.com> - 2021-10-3
|
||||
* Tue Jul 26 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021-10-4
|
||||
- fix CVE-2022-33967
|
||||
|
||||
* Tue Jul 12 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021-10-3
|
||||
- fix CVE-2022-34835
|
||||
|
||||
* Wed May 11 2022 liuyumeng <liuyumeng5@h-partners.com> - 2021-10-2
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user