[PATCH 4/4] squashfs: Fix stack overflow while symlink resolving
Richard Weinberger
richard at sigma-star.at
Wed Jul 17 10:16:06 CEST 2024
Hi Miquel,
Am Mittwoch, 17. Juli 2024, 10:06:35 CEST schrieb 'Miquel Raynal' via upstream:
> Hi Richard,
>
> richard at nod.at wrote on Fri, 12 Jul 2024 10:23:44 +0200:
>
> > The squashfs driver blindly follows symlinks, and calls sqfs_size()
> > recursively. So an attacker can create a crafted filesystem and with
> > a deep enough nesting level a stack overflow can be achieved.
> >
> > Fix by limiting the nesting level to 8.
>
> As this is I believe an arbitrary value, could we define this value
> somewhere and flag it with a comment as "arbitrary" with some details
> from the commit log? Right now the value '8' is hardcoded at least in 3
> different places.
I stole the value from the ext4 code.
Since U-Boot lacks a common filesystem code, there will be always
duplication. I can happily add a common define for the value.
> Also, 8 seems rather small, any reason for choosing
> that? I believe this is easy to cross even in non-evil filesystems and
> could perhaps be (again, arbitrarily) increased a bit?
For ext4 the value seems okay.
So dunno. :-)
Thanks,
//richard
--
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y
More information about the U-Boot
mailing list