[PATCH 4/4] squashfs: Fix stack overflow while symlink resolving

Miquel Raynal miquel.raynal at bootlin.com
Wed Jul 17 10:26:29 CEST 2024


Hi Richard,

richard at sigma-star.at wrote on Wed, 17 Jul 2024 10:16:06 +0200:

> Hi Miquel,
> 
> Am Mittwoch, 17. Juli 2024, 10:06:35 CEST schrieb 'Miquel Raynal' via upstream:
> > Hi Richard,
> > 
> > richard at nod.at wrote on Fri, 12 Jul 2024 10:23:44 +0200:
> >   
> > > The squashfs driver blindly follows symlinks, and calls sqfs_size()
> > > recursively. So an attacker can create a crafted filesystem and with
> > > a deep enough nesting level a stack overflow can be achieved.
> > > 
> > > Fix by limiting the nesting level to 8.  
> > 
> > As this is I believe an arbitrary value, could we define this value
> > somewhere and flag it with a comment as "arbitrary" with some details
> > from the commit log? Right now the value '8' is hardcoded at least in 3
> > different places.  
> 
> I stole the value from the ext4 code.

Ah ok, interesting. So I guess it is "enough" and was probably not so
random.

> Since U-Boot lacks a common filesystem code, there will be always
> duplication. I can happily add a common define for the value.

Oh yeah, I meant a define in squashfs' code. I was not hinting to
declare a global number (even though in practice it would be nice).

> > Also, 8 seems rather small, any reason for choosing
> > that? I believe this is easy to cross even in non-evil filesystems and
> > could perhaps be (again, arbitrarily) increased a bit?  
> 
> For ext4 the value seems okay.
> So dunno. :-)

Yeah, fine I guess.

Thanks,
Miquèl


More information about the U-Boot mailing list