[PATCH] fs/sqashfs: Use kcalloc when relevant
Tom Rini
trini at konsulko.com
Fri Jun 24 21:34:05 CEST 2022
On Fri, Jun 24, 2022 at 09:27:29PM +0200, Miquel Raynal wrote:
> A crafted squashfs image could embed a huge number of empty metadata
> blocks in order to make the amount of malloc()'d memory overflow and be
> much smaller than expected. Because of this flaw, any random code
> positioned at the right location in the squashfs image could be memcpy'd
> from the squashfs structures into U-Boot code location while trying to
> access the rearmost blocks, before being executed.
>
> In order to prevent this vulnerability from being exploited in eg. a
> secure boot environment, let's add a check over the amount of data
> that is going to be allocated. Such a check could look like:
>
> if (!elem_size || n > SIZE_MAX / elem_size)
> return NULL;
>
> The right way to do it would be to enhance the calloc() implementation
> but this is quite an impacting change for such a small fix. Another
> solution would be to add the check before the malloc call in the
> squashfs implementation, but this does not look right. So for now, let's
> use the kcalloc() compatibility function from Linux, which has this
> check.
>
> Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu at sony.com>
> Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
Reviewed-by: Tom Rini <trini at konsulko.com>
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220624/a6856faf/attachment.sig>
More information about the U-Boot
mailing list