From: Richard Weinberger <richard@nod.at>
Date: Fri, 2 Aug 2024 20:05:09 +0000 (+0200)
Subject: squashfs: Fix heap corruption in sqfs_search_dir()
X-Git-Tag: archive/raspbian/2021.01+dfsg-5+rpi1+deb11u2^2~7
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f07d7af903a8bbad4eb4543fa7b5829418e597a2;p=u-boot.git

squashfs: Fix heap corruption in sqfs_search_dir()

res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>

Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57259
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57259

Gbp-Pq: Name CVE-2024-57259.patch
---

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 239afecd3..c4b3fb806 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -557,8 +557,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
 				ret = -ENOMEM;
 				goto out;
 			}
-			/* Concatenate remaining tokens and symlink's target */
-			res = malloc(strlen(rem) + strlen(target) + 1);
+			/*
+			 * Concatenate remaining tokens and symlink's target.
+			 * Allocate enough space for rem, target, '/' and '\0'.
+			 */
+			res = malloc(strlen(rem) + strlen(target) + 2);
 			if (!res) {
 				ret = -ENOMEM;
 				goto out;