fix CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57257 CVE-2024-57258 CVE-2024-57259

2025-02-19 11:42:39 +08:00 · 2025-02-19 11:42:39 +08:00 · 2b8e57d624
commit 2b8e57d624
parent d3bc9e05e5
9 changed files with 505 additions and 1 deletions
--- a/backport-0001-CVE-2024-57258.patch
+++ b/backport-0001-CVE-2024-57258.patch
@ -0,0 +1,40 @@
 From 0a10b49206a29b4aa2f80233a3e53ca0466bb0b3 Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 12:08:45 +0200
 Subject: [PATCH] dlmalloc: Fix integer overflow in sbrk()
 Make sure that the new break is within mem_malloc_start
 and mem_malloc_end before making progress.
 ulong new = old + increment; can overflow for extremely large
 increment values and memset() can get wrongly called.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Simon Glass <sjg@chromium.org>
 ---
 common/dlmalloc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/common/dlmalloc.c b/common/dlmalloc.c
 index 48e83da6cbce..8e201ac0dc59 100644
 --- a/common/dlmalloc.c
 +++ b/common/dlmalloc.c
@@ -581,6 +581,9 @@ void *sbrk(ptrdiff_t increment)
 	ulong old = mem_malloc_brk;
 	ulong new = old + increment;
 +	if ((new < mem_malloc_start) || (new > mem_malloc_end))
 +		return (void *)MORECORE_FAILURE;
 +
 	/*
 	 * if we are giving memory back make sure we clear it out since
 	 * we set MORECORE_CLEARS to 1
@@ -588,9 +591,6 @@ void *sbrk(ptrdiff_t increment)
 	if (increment < 0)
 		memset((void *)new, 0, -increment);
 -	if ((new < mem_malloc_start) || (new > mem_malloc_end))
 -		return (void *)MORECORE_FAILURE;
 -
 	mem_malloc_brk = new;
 	return (void *)old;
--- a/backport-0002-CVE-2024-57258.patch
+++ b/backport-0002-CVE-2024-57258.patch
@ -0,0 +1,36 @@
 From 8642b2178d2c4002c99a0b69a845a48f2ae2706f Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 12:08:44 +0200
 Subject: [PATCH] dlmalloc: Fix integer overflow in request2size()
 req is of type size_t, casting it to long opens the door
 for an integer overflow.
 Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
 cause and overflow such that request2size() returns MINSIZE.
 Fix by removing the cast.
 The origin of the cast is unclear, it's in u-boot and ppcboot since ever
 and predates the CVS history.
 Doug Lea's original dlmalloc implementation also doesn't have it.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Simon Glass <sjg@chromium.org>
 ---
 common/dlmalloc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/common/dlmalloc.c b/common/dlmalloc.c
 index 1e1602a24dec..48e83da6cbce 100644
 --- a/common/dlmalloc.c
 +++ b/common/dlmalloc.c
@@ -386,8 +386,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 /* pad request bytes into a usable size */
 #define request2size(req) \
 - (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
 -  (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
 + ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
 +  (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
    (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
 /* Check if m has acceptable alignment */
--- a/backport-0003-CVE-2024-57258.patch
+++ b/backport-0003-CVE-2024-57258.patch
@ -0,0 +1,33 @@
 From c17b2a05dd50a3ba437e6373093a0d6a359cdee0 Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 12:08:43 +0200
 Subject: [PATCH] x86: Fix ptrdiff_t for x86_64
 sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
 by LONG_MIN/LONG_MAX.
 So, use the long type, also to match the rest of the Linux ecosystem.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Simon Glass <sjg@chromium.org>
 ---
 arch/x86/include/asm/posix_types.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
 index dbcea7f47ff9..e1ed9bcabc76 100644
 --- a/arch/x86/include/asm/posix_types.h
 +++ b/arch/x86/include/asm/posix_types.h
@@ -20,11 +20,12 @@ typedef unsigned short	__kernel_gid_t;
 #if defined(__x86_64__)
 typedef unsigned long	__kernel_size_t;
 typedef long		__kernel_ssize_t;
 +typedef long		__kernel_ptrdiff_t;
 #else
 typedef unsigned int	__kernel_size_t;
 typedef int		__kernel_ssize_t;
 -#endif
 typedef int		__kernel_ptrdiff_t;
 +#endif
 typedef long		__kernel_time_t;
 typedef long		__kernel_suseconds_t;
 typedef long		__kernel_clock_t;
--- a/backport-CVE-2024-57254.patch
+++ b/backport-CVE-2024-57254.patch
@ -0,0 +1,40 @@
 From c8e929e5758999933f9e905049ef2bf3fe6b140d Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 18:36:45 +0200
 Subject: [PATCH] squashfs: Fix integer overflow in sqfs_inode_size()
 A carefully crafted squashfs filesystem can exhibit an extremly large
 inode size and overflow the calculation in sqfs_inode_size().
 As a consequence, the squashfs driver will read from wrong locations.
 Fix by using __builtin_add_overflow() to detect the overflow.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
 ---
 fs/squashfs/sqfs_inode.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
 index d25cfb53e75d..bb3ccd37e33b 100644
 --- a/fs/squashfs/sqfs_inode.c
 +++ b/fs/squashfs/sqfs_inode.c
@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
 	case SQFS_SYMLINK_TYPE:
 	case SQFS_LSYMLINK_TYPE: {
 +		int size;
 +
 		struct squashfs_symlink_inode *symlink =
 			(struct squashfs_symlink_inode *)inode;
 -		return sizeof(*symlink) +
 -			get_unaligned_le32(&symlink->symlink_size);
 +		if (__builtin_add_overflow(sizeof(*symlink),
 +		    get_unaligned_le32(&symlink->symlink_size), &size))
 +			return -EINVAL;
 +
 +		return size;
 	}
 	case SQFS_BLKDEV_TYPE:
--- a/backport-CVE-2024-57255.patch
+++ b/backport-CVE-2024-57255.patch
@ -0,0 +1,46 @@
 From 233945eba63e24061dffeeaeb7cd6fe985278356 Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 18:36:44 +0200
 Subject: [PATCH] squashfs: Fix integer overflow in sqfs_resolve_symlink()
 A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
 as a consequence malloc() will do a zero allocation.
 Later in the function the inode size is again used for copying data.
 So an attacker can overwrite memory.
 Avoid the overflow by using the __builtin_add_overflow() helper.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
 ---
 fs/squashfs/sqfs.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
 index 1430e671a5a8..16a07c0622bd 100644
 --- a/fs/squashfs/sqfs.c
 +++ b/fs/squashfs/sqfs.c
@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
 	char *resolved, *target;
 	u32 sz;
 -	sz = get_unaligned_le32(&sym->symlink_size);
 -	target = malloc(sz + 1);
 +	if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
 +		return NULL;
 +
 +	target = malloc(sz);
 	if (!target)
 		return NULL;
@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
 	 * There is no trailling null byte in the symlink's target path, so a
 	 * copy is made and a '\0' is added at its end.
 	 */
 -	target[sz] = '\0';
 +	target[sz - 1] = '\0';
 	/* Get target name (relative path) */
 -	strncpy(target, sym->symlink, sz);
 +	strncpy(target, sym->symlink, sz - 1);
 	/* Relative -> absolute path conversion */
 	resolved = sqfs_get_abs_path(base_path, target);
--- a/backport-CVE-2024-57256.patch
+++ b/backport-CVE-2024-57256.patch
@ -0,0 +1,44 @@
 From 35f75d2a46e5859138c83a75cd2f4141c5479ab9 Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 9 Aug 2024 11:54:28 +0200
 Subject: [PATCH] ext4: Fix integer overflow in ext4fs_read_symlink()
 While zalloc() takes a size_t type, adding 1 to the le32 variable
 will overflow.
 A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
 and as consequence zalloc() will do a zero allocation.
 Later in the function the inode size is again used for copying data.
 So an attacker can overwrite memory.
 Avoid the overflow by using the __builtin_add_overflow() helper.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 ---
 fs/ext4/ext4_common.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
 index 7cf0160c408d..76f7102456e3 100644
 --- a/fs/ext4/ext4_common.c
 +++ b/fs/ext4/ext4_common.c
@@ -2181,13 +2181,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
 	struct ext2fs_node *diro = node;
 	int status;
 	loff_t actread;
 +	size_t alloc_size;
 	if (!diro->inode_read) {
 		status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
 		if (status == 0)
 			return NULL;
 	}
 -	symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
 +
 +	if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
 +		return NULL;
 +
 +	symlink = zalloc(alloc_size);
 	if (!symlink)
 		return NULL;
--- a/backport-CVE-2024-57257.patch
+++ b/backport-CVE-2024-57257.patch
@ -0,0 +1,220 @@
 From 4f5cc096bfd0a591f8a11e86999e3d90a9484c34 Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 18:36:47 +0200
 Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving
 The squashfs driver blindly follows symlinks, and calls sqfs_size()
 recursively. So an attacker can create a crafted filesystem and with
 a deep enough nesting level a stack overflow can be achieved.
 Fix by limiting the nesting level to 8.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
 ---
 fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 61 insertions(+), 15 deletions(-)
 diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
 index fa99d514f20f..af7ff80a7bdf 100644
 --- a/fs/squashfs/sqfs.c
 +++ b/fs/squashfs/sqfs.c
@@ -24,7 +24,12 @@
 #include "sqfs_filesystem.h"
 #include "sqfs_utils.h"
 +#define MAX_SYMLINK_NEST 8
 +
 static struct squashfs_ctxt ctxt;
 +static int symlinknest;
 +
 +static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
 static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
 {
@@ -510,7 +515,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
 			goto out;
 		}
 -		while (!sqfs_readdir(dirsp, &dent)) {
 +		while (!sqfs_readdir_nest(dirsp, &dent)) {
 			ret = strcmp(dent->name, token_list[j]);
 			if (!ret)
 				break;
@@ -537,6 +542,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
 		/* Check for symbolic link and inode type sanity */
 		if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
 +			if (++symlinknest == MAX_SYMLINK_NEST) {
 +				ret = -ELOOP;
 +				goto out;
 +			}
 +
 			sym = (struct squashfs_symlink_inode *)table;
 			/* Get first j + 1 tokens */
 			path = sqfs_concat_tokens(token_list, j + 1);
@@ -884,7 +894,7 @@ static int sqfs_read_directory_table(unsigned char **dir_table, u32 **pos_list)
 	return metablks_count;
 }
 -int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
 +static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
 {
 	unsigned char *inode_table = NULL, *dir_table = NULL;
 	int j, token_count = 0, ret = 0, metablks_count;
@@ -979,7 +989,19 @@ int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
 	return ret;
 }
 +int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
 +{
 +	symlinknest = 0;
 +	return sqfs_opendir_nest(filename, dirsp);
 +}
 +
 int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
 +{
 +	symlinknest = 0;
 +	return sqfs_readdir_nest(fs_dirs, dentp);
 +}
 +
 +static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
 {
 	struct squashfs_super_block *sblk = ctxt.sblk;
 	struct squashfs_dir_stream *dirs;
@@ -1325,8 +1347,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
 	return datablk_count;
 }
 -int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 -	      loff_t *actread)
 +static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
 +			  loff_t len, loff_t *actread)
 {
 	char *dir = NULL, *fragment_block, *datablock = NULL;
 	char *fragment = NULL, *file = NULL, *resolved, *data;
@@ -1356,11 +1378,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 	}
 	/*
 -	 * sqfs_opendir will uncompress inode and directory tables, and will
 +	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
 	 * return a pointer to the directory that contains the requested file.
 	 */
 	sqfs_split_path(&file, &dir, filename);
 -	ret = sqfs_opendir(dir, &dirsp);
 +	ret = sqfs_opendir_nest(dir, &dirsp);
 	if (ret) {
 		goto out;
 	}
@@ -1368,7 +1390,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 	dirs = (struct squashfs_dir_stream *)dirsp;
 	/* For now, only regular files are able to be loaded */
 -	while (!sqfs_readdir(dirsp, &dent)) {
 +	while (!sqfs_readdir_nest(dirsp, &dent)) {
 		ret = strcmp(dent->name, file);
 		if (!ret)
 			break;
@@ -1421,9 +1443,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 		break;
 	case SQFS_SYMLINK_TYPE:
 	case SQFS_LSYMLINK_TYPE:
 +		if (++symlinknest == MAX_SYMLINK_NEST) {
 +			ret = -ELOOP;
 +			goto out;
 +		}
 +
 		symlink = (struct squashfs_symlink_inode *)ipos;
 		resolved = sqfs_resolve_symlink(symlink, filename);
 -		ret = sqfs_read(resolved, buf, offset, len, actread);
 +		ret = sqfs_read_nest(resolved, buf, offset, len, actread);
 		free(resolved);
 		goto out;
 	case SQFS_BLKDEV_TYPE:
@@ -1594,7 +1621,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 	return ret;
 }
 -int sqfs_size(const char *filename, loff_t *size)
 +int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
 +	      loff_t *actread)
 +{
 +	symlinknest = 0;
 +	return sqfs_read_nest(filename, buf, offset, len, actread);
 +}
 +
 +static int sqfs_size_nest(const char *filename, loff_t *size)
 {
 	struct squashfs_super_block *sblk = ctxt.sblk;
 	struct squashfs_symlink_inode *symlink;
@@ -1610,10 +1644,10 @@ int sqfs_size(const char *filename, loff_t *size)
 	sqfs_split_path(&file, &dir, filename);
 	/*
 -	 * sqfs_opendir will uncompress inode and directory tables, and will
 +	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
 	 * return a pointer to the directory that contains the requested file.
 	 */
 -	ret = sqfs_opendir(dir, &dirsp);
 +	ret = sqfs_opendir_nest(dir, &dirsp);
 	if (ret) {
 		ret = -EINVAL;
 		goto free_strings;
@@ -1621,7 +1655,7 @@ int sqfs_size(const char *filename, loff_t *size)
 	dirs = (struct squashfs_dir_stream *)dirsp;
 -	while (!sqfs_readdir(dirsp, &dent)) {
 +	while (!sqfs_readdir_nest(dirsp, &dent)) {
 		ret = strcmp(dent->name, file);
 		if (!ret)
 			break;
@@ -1661,6 +1695,11 @@ int sqfs_size(const char *filename, loff_t *size)
 		break;
 	case SQFS_SYMLINK_TYPE:
 	case SQFS_LSYMLINK_TYPE:
 +		if (++symlinknest == MAX_SYMLINK_NEST) {
 +			*size = 0;
 +			return -ELOOP;
 +		}
 +
 		symlink = (struct squashfs_symlink_inode *)ipos;
 		resolved = sqfs_resolve_symlink(symlink, filename);
 		ret = sqfs_size(resolved, size);
@@ -1700,10 +1739,11 @@ int sqfs_exists(const char *filename)
 	sqfs_split_path(&file, &dir, filename);
 	/*
 -	 * sqfs_opendir will uncompress inode and directory tables, and will
 +	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
 	 * return a pointer to the directory that contains the requested file.
 	 */
 -	ret = sqfs_opendir(dir, &dirsp);
 +	symlinknest = 0;
 +	ret = sqfs_opendir_nest(dir, &dirsp);
 	if (ret) {
 		ret = -EINVAL;
 		goto free_strings;
@@ -1711,7 +1751,7 @@ int sqfs_exists(const char *filename)
 	dirs = (struct squashfs_dir_stream *)dirsp;
 -	while (!sqfs_readdir(dirsp, &dent)) {
 +	while (!sqfs_readdir_nest(dirsp, &dent)) {
 		ret = strcmp(dent->name, file);
 		if (!ret)
 			break;
@@ -1728,6 +1768,12 @@ int sqfs_exists(const char *filename)
 	return ret == 0;
 }
 +int sqfs_size(const char *filename, loff_t *size)
 +{
 +	symlinknest = 0;
 +	return sqfs_size_nest(filename, size);
 +}
 +
 void sqfs_close(void)
 {
 	sqfs_decompressor_cleanup(&ctxt);
--- a/backport-CVE-2024-57259.patch
+++ b/backport-CVE-2024-57259.patch
@ -0,0 +1,34 @@
 From 048d795bb5b3d9c5701b4855f5e74bcf6849bf5e Mon Sep 17 00:00:00 2001
 From: Richard Weinberger <richard@nod.at>
 Date: Fri, 2 Aug 2024 22:05:09 +0200
 Subject: [PATCH] squashfs: Fix heap corruption in sqfs_search_dir()
 res needs to be large enough to store both strings rem and target,
 plus the path separator and the terminator.
 Currently the space for the path separator is not accounted, so
 the heap is corrupted by one byte.
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
 ---
 fs/squashfs/sqfs.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
 index af7ff80a7bdf..b9314019b1bc 100644
 --- a/fs/squashfs/sqfs.c
 +++ b/fs/squashfs/sqfs.c
@@ -567,8 +567,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
 				ret = -ENOMEM;
 				goto out;
 			}
 -			/* Concatenate remaining tokens and symlink's target */
 -			res = malloc(strlen(rem) + strlen(target) + 1);
 +			/*
 +			 * Concatenate remaining tokens and symlink's target.
 +			 * Allocate enough space for rem, target, '/' and '\0'.
 +			 */
 +			res = malloc(strlen(rem) + strlen(target) + 2);
 			if (!res) {
 				ret = -ENOMEM;
 				goto out;
--- a/uboot-tools.spec
+++ b/uboot-tools.spec
@ -3,7 +3,7 @@
 Name:           uboot-tools
 Version:        2024.01
-Release:        1
+Release:        2
 Summary:        tools for U-Boot
 License:        GPL-2.0-or-later and Public Domain and GPL-2.0-only
 URL:            http://www.denx.de/wiki/U-Boot
@ -17,6 +17,14 @@ Patch3:         backport-Provide-a-fallback-to-smbios-tables.patch
 Patch4:         backport-enable-bootmenu-by-default.patch
 Patch5:         backport-uefi-Boot-var-automatic-management-for-removable-medias.patch
 Patch6:         backport-rockchip-Add-initial-support-for-the-PinePhone-Pro.patch
 Patch7:         backport-CVE-2024-57254.patch
 Patch8:         backport-CVE-2024-57255.patch
 Patch9:         backport-CVE-2024-57256.patch
 Patch10:        backport-CVE-2024-57257.patch
 Patch11:        backport-0001-CVE-2024-57258.patch
 Patch12:        backport-0002-CVE-2024-57258.patch
 Patch13:        backport-0003-CVE-2024-57258.patch
 Patch14:        backport-CVE-2024-57259.patch
 BuildRequires:  bc dtc gcc make flex bison git-core openssl-devel
 BuildRequires:  python3-unversioned-command python3-devel python3-setuptools
@ -221,6 +229,9 @@ install -p -m 0755 %{SOURCE2} %{buildroot}/lib/kernel/install.d/
 %{_mandir}/man1/mkimage.1*
 %changelog
 * Wed Feb 19 2025 lingsheng <lingsheng1@h-partners.com> - 2024.01-2
 - fix CVE-2024-57254 CVE-2024-57255 CVE-2024-57256 CVE-2024-57257 CVE-2024-57258 CVE-2024-57259
 * Thu Feb 29 2024 xingwei <xingwei14@h-partners.com> - 2024.01-1
 - Type:requirement
 - ID:NA