From: Richard Weinberger Date: Fri, 2 Aug 2024 16:36:44 +0000 (+0200) Subject: squashfs: Fix integer overflow in sqfs_resolve_symlink() X-Git-Tag: archive/raspbian/2021.01+dfsg-5+rpi1+deb11u2^2~13 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=965effba5a096f7eea7850cdfe1cad161df1eeb7;p=u-boot.git squashfs: Fix integer overflow in sqfs_resolve_symlink() A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, as a consequence malloc() will do a zero allocation. Later in the function the inode size is again used for copying data. So an attacker can overwrite memory. Avoid the overflow by using the __builtin_add_overflow() helper. Signed-off-by: Richard Weinberger Reviewed-by: Miquel Raynal Reviewed-By: Daniel Leidert Origin: https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356 Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 Bug-Debian: https://bugs.debian.org/1098254 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57255 Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57255 Gbp-Pq: Name CVE-2024-57255.patch --- diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index a2922a48e..3cd472411 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -416,8 +416,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, char *resolved, *target; u32 sz; - sz = get_unaligned_le32(&sym->symlink_size); - target = malloc(sz + 1); + if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) + return NULL; + + target = malloc(sz); if (!target) return NULL; @@ -425,9 +427,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, * There is no trailling null byte in the symlink's target path, so a * copy is made and a '\0' is added at its end. */ - target[sz] = '\0'; + target[sz - 1] = '\0'; /* Get target name (relative path) */ - strncpy(target, sym->symlink, sz); + strncpy(target, sym->symlink, sz - 1); /* Relative -> absolute path conversion */ resolved = sqfs_get_abs_path(base_path, target);