diff --git a/backport-CVE-2022-33103.patch b/backport-CVE-2022-33103.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc8807ea16199371f935de570dc3610f0673f26b --- /dev/null +++ b/backport-CVE-2022-33103.patch @@ -0,0 +1,75 @@ +From 2ac0baab4aff1a0b45067d0b62f00c15f4e86856 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 9 Jun 2022 16:02:06 +0200 +Subject: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution + +Following Jincheng's report, an out-of-band write leading to arbitrary +code execution is possible because on one side the squashfs logic +accepts directory names up to 65535 bytes (u16), while U-Boot fs logic +accepts directory names up to 255 bytes long. + +Prevent such an exploit from happening by capping directory name sizes +to 255. Use a define for this purpose so that developers can link the +limitation to its source and eventually kill it some day by dynamically +allocating this array (if ever desired). + +Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com +Reported-by: Jincheng Wang +Signed-off-by: Miquel Raynal +Tested-by: Jincheng Wang +--- + fs/squashfs/sqfs.c | 8 +++++--- + include/fs.h | 4 +++- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 547d2fd4b30..b9f05efd9c9 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -975,6 +975,7 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + int i_number, offset = 0, ret; + struct fs_dirent *dent; + unsigned char *ipos; ++ u16 name_size; + + dirs = (struct squashfs_dir_stream *)fs_dirs; + if (!dirs->size) { +@@ -1057,9 +1058,10 @@ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + return -SQFS_STOP_READDIR; + } + +- /* Set entry name */ +- strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1); +- dent->name[dirs->entry->name_size + 1] = '\0'; ++ /* Set entry name (capped at FS_DIRENT_NAME_LEN which is a U-Boot limitation) */ ++ name_size = min_t(u16, dirs->entry->name_size + 1, FS_DIRENT_NAME_LEN - 1); ++ strncpy(dent->name, dirs->entry->name, name_size); ++ dent->name[name_size] = '\0'; + + offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH; + dirs->entry_count--; +diff --git a/include/fs.h b/include/fs.h +index b43f16a692f..2195dc172ec 100644 +--- a/include/fs.h ++++ b/include/fs.h +@@ -174,6 +174,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len, + #define FS_DT_REG 8 /* regular file */ + #define FS_DT_LNK 10 /* symbolic link */ + ++#define FS_DIRENT_NAME_LEN 256 ++ + /** + * struct fs_dirent - directory entry + * +@@ -194,7 +196,7 @@ struct fs_dirent { + /** change_time: time of last modification */ + struct rtc_time change_time; + /** name: file name */ +- char name[256]; ++ char name[FS_DIRENT_NAME_LEN]; + }; + + /* Note: fs_dir_stream should be treated as opaque to the user of fs layer */ +-- +GitLab + diff --git a/uboot-tools.spec b/uboot-tools.spec index 010692ccaf466977c1cc2ffb93ee17da20ba0c78..19913d8ea8a216c9b5cb1dde0957e3c4a8bb9676 100644 --- a/uboot-tools.spec +++ b/uboot-tools.spec @@ -3,7 +3,7 @@ Name: uboot-tools Version: 2021.10 -Release: 9 +Release: 10 Summary: tools for U-Boot License: GPL-2.0-or-later and Public Domain and GPL-2.0-only URL: http://www.denx.de/wiki/U-Boot @@ -32,6 +32,7 @@ Patch6012: backport-0001-CVE-2024-57258.patch Patch6013: backport-0002-CVE-2024-57258.patch Patch6014: backport-0003-CVE-2024-57258.patch Patch6015: backport-CVE-2024-57259.patch +Patch6016: backport-CVE-2022-33103.patch BuildRequires: bc dtc gcc make flex bison git-core openssl-devel BuildRequires: python3-unversioned-command python3-devel python3-setuptools @@ -255,6 +256,9 @@ cp -p board/warp7/README builds/docs/README.warp7 %{_mandir}/man1/mkimage.1* %changelog +* Tue May 06 2025 lingsheng - 2021.10-10 +- fix CVE-2022-33103 + * Wed Feb 19 2025 lingsheng - 2021.10-9 - fix CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57257 CVE-2024-57258 CVE-2024-57259