[PATCH v2] fs/squashfs: Use kcalloc when relevant

Tom Rini trini at konsulko.com
Wed Jun 29 00:54:34 CEST 2022


On Mon, Jun 27, 2022 at 12:20:03PM +0200, Miquel Raynal wrote:

> A crafted squashfs image could embed a huge number of empty metadata
> blocks in order to make the amount of malloc()'d memory overflow and be
> much smaller than expected. Because of this flaw, any random code
> positioned at the right location in the squashfs image could be memcpy'd
> from the squashfs structures into U-Boot code location while trying to
> access the rearmost blocks, before being executed.
> 
> In order to prevent this vulnerability from being exploited in eg. a
> secure boot environment, let's add a check over the amount of data
> that is going to be allocated. Such a check could look like:
> 
> if (!elem_size || n > SIZE_MAX / elem_size)
> 	return NULL;
> 
> The right way to do it would be to enhance the calloc() implementation
> but this is quite an impacting change for such a small fix. Another
> solution would be to add the check before the malloc call in the
> squashfs implementation, but this does not look right. So for now, let's
> use the kcalloc() compatibility function from Linux, which has this
> check.
> 
> Fixes: c5100613037 ("fs/squashfs: new filesystem")
> Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu at sony.com>
> Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
> Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu at sony.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220628/17badcfc/attachment.sig>


More information about the U-Boot mailing list