[PATCH 4/4] squashfs: Fix stack overflow while symlink resolving
Miquel Raynal
miquel.raynal at bootlin.com
Wed Jul 17 10:26:29 CEST 2024
Hi Richard,
richard at sigma-star.at wrote on Wed, 17 Jul 2024 10:16:06 +0200:
> Hi Miquel,
>
> Am Mittwoch, 17. Juli 2024, 10:06:35 CEST schrieb 'Miquel Raynal' via upstream:
> > Hi Richard,
> >
> > richard at nod.at wrote on Fri, 12 Jul 2024 10:23:44 +0200:
> >
> > > The squashfs driver blindly follows symlinks, and calls sqfs_size()
> > > recursively. So an attacker can create a crafted filesystem and with
> > > a deep enough nesting level a stack overflow can be achieved.
> > >
> > > Fix by limiting the nesting level to 8.
> >
> > As this is I believe an arbitrary value, could we define this value
> > somewhere and flag it with a comment as "arbitrary" with some details
> > from the commit log? Right now the value '8' is hardcoded at least in 3
> > different places.
>
> I stole the value from the ext4 code.
Ah ok, interesting. So I guess it is "enough" and was probably not so
random.
> Since U-Boot lacks a common filesystem code, there will be always
> duplication. I can happily add a common define for the value.
Oh yeah, I meant a define in squashfs' code. I was not hinting to
declare a global number (even though in practice it would be nice).
> > Also, 8 seems rather small, any reason for choosing
> > that? I believe this is easy to cross even in non-evil filesystems and
> > could perhaps be (again, arbitrarily) increased a bit?
>
> For ext4 the value seems okay.
> So dunno. :-)
Yeah, fine I guess.
Thanks,
Miquèl
More information about the U-Boot
mailing list