packages/uboot-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!53 fix CVE-2022-33967

Browse Source 
From: @cenhuilin 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2022-07-27 06:22:13 +00:00 committed by Gitee
commit 9677e4ac24
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
backport-CVE-2022-33967.patch Normal file
View File

@ -0,0 +1,52 @@
From e40e9a32dd411f444d6e2ed73c517ee584a386ae Mon Sep 17 00:00:00 2001
From: Miquel Raynal <miquel.raynal@bootlin.com>
Date: Wed, 20 Jul 2022 09:18:20 +0000
Subject: [PATCH] fs/squashfs: Use kcalloc when relevant
A crafted squashfs image could embed a huge number of empty metadata
blocks in order to make the amount of malloc()'d memory overflow and be
much smaller than expected. Because of this flaw, any random code
positioned at the right location in the squashfs image could be memcpy'd
from the squashfs structures into U-Boot code location while trying to
access the rearmost blocks, before being executed.
In order to prevent this vulnerability from being exploited in eg. a
secure boot environment, let's add a check over the amount of data
that is going to be allocated. Such a check could look like:
if (!elem_size || n > SIZE_MAX / elem_size)
return NULL;
The right way to do it would be to enhance the calloc() implementation
but this is quite an impacting change for such a small fix. Another
solution would be to add the check before the malloc call in the
squashfs implementation, but this does not look right. So for now, let's
use the kcalloc() compatibility function fro...
---
fs/squashfs/sqfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 92ab8ac6..ef4b5836 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -13,6 +13,7 @@
#include <linux/types.h>
#include <linux/byteorder/little_endian.h>
#include <linux/byteorder/generic.h>
+#include <linux/compat.h>
#include <memalign.h>
#include <stdlib.h>
#include <string.h>
@@ -725,7 +726,8 @@ static int sqfs_read_inode_table(unsigned char **inode_table)
goto free_itb;
}
- *inode_table = malloc(metablks_count * SQFS_METADATA_BLOCK_SIZE);
+ *inode_table = kcalloc(metablks_count, SQFS_METADATA_BLOCK_SIZE,
+ GFP_KERNEL);
if (!*inode_table) {
ret = -ENOMEM;
goto free_itb;
--
2.33.0

6
uboot-tools.spec
View File

@ -3,7 +3,7 @@
Name: uboot-tools Name: uboot-tools
Version: 2021.10 Version: 2021.10
Release: 5 Release: 6
Summary: tools for U-Boot Summary: tools for U-Boot
License: GPL-2.0-or-later and Public Domain and GPL-2.0-only License: GPL-2.0-or-later and Public Domain and GPL-2.0-only
URL: http://www.denx.de/wiki/U-Boot URL: http://www.denx.de/wiki/U-Boot
@ -20,6 +20,7 @@ Patch6001: backport-AllWinner-PineTab.patch
# RPI4 # RPI4
Patch6002: backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch Patch6002: backport-rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch
Patch6003: backport-CVE-2022-34835.patch Patch6003: backport-CVE-2022-34835.patch
Patch6004: backport-CVE-2022-33967.patch
BuildRequires: bc dtc gcc make flex bison git-core openssl-devel BuildRequires: bc dtc gcc make flex bison git-core openssl-devel
BuildRequires: python3-unversioned-command python3-devel python3-setuptools BuildRequires: python3-unversioned-command python3-devel python3-setuptools
@ -243,6 +244,9 @@ cp -p board/warp7/README builds/docs/README.warp7
%{_mandir}/man1/mkimage.1* %{_mandir}/man1/mkimage.1*
%changelog %changelog
* Wed Jul 20 2022 cenhuilin <cenhuilin@kylinos.cn> - 2021.10-6
- fix CVE-2022-33967
* Tue Jul 12 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021.10-5 * Tue Jul 12 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2021.10-5
- fix CVE-2022-34835 - fix CVE-2022-34835