From ba5d74937fbe070d87dc87618e55bb62a7925319 Mon Sep 17 00:00:00 2001 From: lingsheng <860373352@qq.com> Date: Wed, 19 Feb 2025 10:28:51 +0800 Subject: [PATCH] fix CVE-2024-57256 CVE-2024-57258 --- backport-0001-CVE-2024-57258.patch | 40 +++++++++++++++++++++++++++ backport-0002-CVE-2024-57258.patch | 36 ++++++++++++++++++++++++ backport-0003-CVE-2024-57258.patch | 33 ++++++++++++++++++++++ backport-CVE-2024-57256.patch | 44 ++++++++++++++++++++++++++++++ uboot-tools.spec | 9 +++++- 5 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2024-57258.patch create mode 100644 backport-0002-CVE-2024-57258.patch create mode 100644 backport-0003-CVE-2024-57258.patch create mode 100644 backport-CVE-2024-57256.patch diff --git a/backport-0001-CVE-2024-57258.patch b/backport-0001-CVE-2024-57258.patch new file mode 100644 index 0000000..b9d58fe --- /dev/null +++ b/backport-0001-CVE-2024-57258.patch @@ -0,0 +1,40 @@ +From 0a10b49206a29b4aa2f80233a3e53ca0466bb0b3 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:45 +0200 +Subject: [PATCH] dlmalloc: Fix integer overflow in sbrk() + +Make sure that the new break is within mem_malloc_start +and mem_malloc_end before making progress. +ulong new = old + increment; can overflow for extremely large +increment values and memset() can get wrongly called. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass +--- + common/dlmalloc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index 48e83da6cbce..8e201ac0dc59 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -581,6 +581,9 @@ void *sbrk(ptrdiff_t increment) + ulong old = mem_malloc_brk; + ulong new = old + increment; + ++ if ((new < mem_malloc_start) || (new > mem_malloc_end)) ++ return (void *)MORECORE_FAILURE; ++ + /* + * if we are giving memory back make sure we clear it out since + * we set MORECORE_CLEARS to 1 +@@ -588,9 +591,6 @@ void *sbrk(ptrdiff_t increment) + if (increment < 0) + memset((void *)new, 0, -increment); + +- if ((new < mem_malloc_start) || (new > mem_malloc_end)) +- return (void *)MORECORE_FAILURE; +- + mem_malloc_brk = new; + + return (void *)old; diff --git a/backport-0002-CVE-2024-57258.patch b/backport-0002-CVE-2024-57258.patch new file mode 100644 index 0000000..b56e5f3 --- /dev/null +++ b/backport-0002-CVE-2024-57258.patch @@ -0,0 +1,36 @@ +From 8642b2178d2c4002c99a0b69a845a48f2ae2706f Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:44 +0200 +Subject: [PATCH] dlmalloc: Fix integer overflow in request2size() + +req is of type size_t, casting it to long opens the door +for an integer overflow. +Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX +cause and overflow such that request2size() returns MINSIZE. + +Fix by removing the cast. +The origin of the cast is unclear, it's in u-boot and ppcboot since ever +and predates the CVS history. +Doug Lea's original dlmalloc implementation also doesn't have it. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass +--- + common/dlmalloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index 1e1602a24dec..48e83da6cbce 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -386,8 +386,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + /* pad request bytes into a usable size */ + + #define request2size(req) \ +- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ +- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ ++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ ++ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ + (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) + + /* Check if m has acceptable alignment */ diff --git a/backport-0003-CVE-2024-57258.patch b/backport-0003-CVE-2024-57258.patch new file mode 100644 index 0000000..4cb9c4c --- /dev/null +++ b/backport-0003-CVE-2024-57258.patch @@ -0,0 +1,33 @@ +From c17b2a05dd50a3ba437e6373093a0d6a359cdee0 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 2 Aug 2024 12:08:43 +0200 +Subject: [PATCH] x86: Fix ptrdiff_t for x86_64 + +sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap +by LONG_MIN/LONG_MAX. +So, use the long type, also to match the rest of the Linux ecosystem. + +Signed-off-by: Richard Weinberger +Reviewed-by: Simon Glass +--- + arch/x86/include/asm/posix_types.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h +index dbcea7f47ff9..e1ed9bcabc76 100644 +--- a/arch/x86/include/asm/posix_types.h ++++ b/arch/x86/include/asm/posix_types.h +@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t; + #if defined(__x86_64__) + typedef unsigned long __kernel_size_t; + typedef long __kernel_ssize_t; ++typedef long __kernel_ptrdiff_t; + #else + typedef unsigned int __kernel_size_t; + typedef int __kernel_ssize_t; +-#endif + typedef int __kernel_ptrdiff_t; ++#endif + typedef long __kernel_time_t; + typedef long __kernel_suseconds_t; + typedef long __kernel_clock_t; diff --git a/backport-CVE-2024-57256.patch b/backport-CVE-2024-57256.patch new file mode 100644 index 0000000..c300707 --- /dev/null +++ b/backport-CVE-2024-57256.patch @@ -0,0 +1,44 @@ +From 35f75d2a46e5859138c83a75cd2f4141c5479ab9 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 9 Aug 2024 11:54:28 +0200 +Subject: [PATCH] ext4: Fix integer overflow in ext4fs_read_symlink() + +While zalloc() takes a size_t type, adding 1 to the le32 variable +will overflow. +A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff +and as consequence zalloc() will do a zero allocation. + +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. + +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger +--- + fs/ext4/ext4_common.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c +index 7cf0160c408d..76f7102456e3 100644 +--- a/fs/ext4/ext4_common.c ++++ b/fs/ext4/ext4_common.c +@@ -2181,13 +2181,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node) + struct ext2fs_node *diro = node; + int status; + loff_t actread; ++ size_t alloc_size; + + if (!diro->inode_read) { + status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode); + if (status == 0) + return NULL; + } +- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1); ++ ++ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size)) ++ return NULL; ++ ++ symlink = zalloc(alloc_size); + if (!symlink) + return NULL; + diff --git a/uboot-tools.spec b/uboot-tools.spec index 19ee0d2..9cc6143 100644 --- a/uboot-tools.spec +++ b/uboot-tools.spec @@ -3,7 +3,7 @@ Name: uboot-tools Version: 2020.07 -Release: 8 +Release: 9 Summary: tools for U-Boot License: GPL-2.0-or-later and Public Domain and GPL-2.0-only URL: http://www.denx.de/wiki/U-Boot @@ -38,6 +38,10 @@ Patch0016: backport-CVE-2022-34835.patch Patch0017: backport-CVE-2022-30767.patch Patch0018: backport-0001-CVE-2022-2347.patch Patch0019: backport-0002-CVE-2022-2347.patch +Patch0020: backport-CVE-2024-57256.patch +Patch0021: backport-0001-CVE-2024-57258.patch +Patch0022: backport-0002-CVE-2024-57258.patch +Patch0023: backport-0003-CVE-2024-57258.patch BuildRequires: bc dtc gcc make flex bison git-core openssl-devel gdb BuildRequires: python-unversioned-command python3-devel python3-setuptools @@ -260,6 +264,9 @@ cp -p board/warp7/README builds/docs/README.warp7 %{_mandir}/man1/mkimage.1* %changelog +* Wed Feb 19 2025 lingsheng - 2020.07-9 +- fix CVE-2024-57256 CVE-2024-57258 + * Tue Sep 24 2024 lingsheng -2020.07-8 - fix CVE-2022-2347 -- Gitee