[PATCH 4/4] squashfs: Fix stack overflow while symlink resolving

Richard Weinberger richard at sigma-star.at
Wed Jul 17 10:16:06 CEST 2024


Hi Miquel,

Am Mittwoch, 17. Juli 2024, 10:06:35 CEST schrieb 'Miquel Raynal' via upstream:
> Hi Richard,
> 
> richard at nod.at wrote on Fri, 12 Jul 2024 10:23:44 +0200:
> 
> > The squashfs driver blindly follows symlinks, and calls sqfs_size()
> > recursively. So an attacker can create a crafted filesystem and with
> > a deep enough nesting level a stack overflow can be achieved.
> > 
> > Fix by limiting the nesting level to 8.
> 
> As this is I believe an arbitrary value, could we define this value
> somewhere and flag it with a comment as "arbitrary" with some details
> from the commit log? Right now the value '8' is hardcoded at least in 3
> different places.

I stole the value from the ext4 code.
Since U-Boot lacks a common filesystem code, there will be always
duplication. I can happily add a common define for the value.

> Also, 8 seems rather small, any reason for choosing
> that? I believe this is easy to cross even in non-evil filesystems and
> could perhaps be (again, arbitrarily) increased a bit?

For ext4 the value seems okay.
So dunno. :-)

Thanks,
//richard

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y




More information about the U-Boot mailing list