ZDI-CAN-24679: New Vulnerability Report

[Tom Rini]

On Thu, Nov 14, 2024 at 12:18:49PM -0800, Tony Dinh wrote:
> Hi Tom,
> Hi Stefan,
> 
> On Thu, Nov 14, 2024 at 8:33 AM Tom Rini <trini at konsulko.com> wrote:
> >
> > On Thu, Nov 14, 2024 at 04:07:15PM +0100, Michal Simek wrote:
> >
> > > Hi,
> > >
> > > On 11/14/24 15:56, Tom Rini wrote:
> > > > On Thu, Nov 14, 2024 at 04:02:29AM +0000, zdi-disclosures at trendmicro.com wrote:
> > > >
> > > > > Hi,
> > > > > Do you have any updates to share regarding this vulnerability report?
> > > >
> > > > Michal, microblaze-generic is the most active platform that enables
> > > > FS_JFFS2 by default and so vulnerable here. Can you find some resources
> > > > to look in to fixing this please? Thanks.
> > >
> > > We have actually discussed this recently and we have other issues with jffs2
> > > and not going to fix it or recommend to use it.
> > > JFFS2 should be removed from our configs and it is also not under our regression.
> >
> > Ah OK, thanks. Adding a few more maintainers now then.
> 
> Does this affect only boards that explicitly use CMD_JFFS2? how about
> boards that have not been converted to bootstd and still use "nand
> read" like this:
> 
> include/configs/openrd.h
> 
> #define CFG_EXTRA_ENV_SETTINGS  "x_bootargs=console=ttyS0,115200 " \
>         CONFIG_MTDPARTS_DEFAULT " rw ubi.mtd=2,2048\0" \
>         "x_bootcmd_kernel=nand read 0x6400000 0x100000 0x300000\0"      \

It's a problem for boards which read from JFFS2 in U-Boot, yes. So in
the case of the kernel / etc being read from a raw location (or ubi or
what-have-you), if FS_JFFS2 (or CMD_JFFS2, same list of platforms) is
disabled the problem goes away. And if we're down to just a few lightly
used platforms, we can just drop JFFS2 support. Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20241114/b956407f/attachment.sig>