Several potential vulnerabilities in the filesystem

jianqiang wang wjq.sec at gmail.com
Wed Jun 5 00:53:33 CEST 2024


Hi Das U-Boot developers,

I found several vulnerabilities in the u-boot filesysetm implementation,

1. in file fs/squashfs/sqfs_inode.c function sqfs_inode_size. The
parameter blk_size is directly or indirectly from the storage data.
Howver, without a sanity check, this value is directly used in the
division operations, leading to a division-by-zero exception

2. in file fs/erofs/data.c, function z_erofs_read_one_data, the node
data is read from the storage, however, without a proper check, the
data can be corrupted. For example, the inode data is used in function
z_erofs_read_data, map.m_llen will be calculated to a very large
value, which means the length variable will be very large. It will
cause a large memory clear with memset(buffer + end - offset, 0,
length);

3. in file fs/squashfs/sqfs.c, function sqfs_frag_lookup, the header
variable is read/calculated from the storage data, however, without a
proper check, memcpy(entries, metadata, SQFS_METADATA_SIZE(header));
will cause a buffer over write when header cannot correctly clear the
higher bits (SQFS_METADATA_SIZE(header)).

Could you please confirmware these vulnerabilities?

Best regards


More information about the U-Boot mailing list