[PATCH v2] fs/squashfs: sqfs_read: Prevent arbitrary code execution
Tom Rini
trini at konsulko.com
Fri Jun 17 15:17:05 CEST 2022
On Thu, Jun 09, 2022 at 04:02:06PM +0200, Miquel Raynal wrote:
> Following Jincheng's report, an out-of-band write leading to arbitrary
> code execution is possible because on one side the squashfs logic
> accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
> accepts directory names up to 255 bytes long.
>
> Prevent such an exploit from happening by capping directory name sizes
> to 255. Use a define for this purpose so that developers can link the
> limitation to its source and eventually kill it some day by dynamically
> allocating this array (if ever desired).
>
> Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
> Reported-by: Jincheng Wang <jc.w4ng at gmail.com>
> Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
> Tested-by: Jincheng Wang <jc.w4ng at gmail.com>
Applied to u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220617/abdf5b59/attachment.sig>
More information about the U-Boot
mailing list