Raspbian automatic forward porter [Thu, 16 Oct 2025 20:02:33 +0000 (21:02 +0100)]
Merge version 2021.01+dfsg-5+rpi1+deb11u1 and 2021.01+dfsg-5+deb11u2 to produce 2021.01+dfsg-5+rpi1+deb11u2
Daniel Leidert [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
Merge u-boot (2021.01+dfsg-5+deb11u2) import into refs/heads/workingbranch
Simon Glass [Tue, 16 Feb 2021 00:08:12 +0000 (17:08 -0700)]
[PATCH] image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for this
and disallow it.
CVE-2021-27138
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
The test part has not been patched. It would require these patches as well:
https://github.com/u-boot/u-boot/commit/
fafafacb470b345f2f41b86e4633ef91a7c5ed23
https://github.com/u-boot/u-boot/commit/
d5f3aadacbc63df3b690d6fd9f0aa3f575b43356
Also, remove the broken test in test/image/test-imagetools.sh
(thanks to jspricke for the hint):
https://salsa.debian.org/debian/u-boot/-/blob/debian/latest/debian/patches/disable-fit-image-tests?ref_type=heads
https://lists.denx.de/pipermail/u-boot/2021-March/445431.html
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
3f04db891a353f4b127ed57279279f851c6b4917
Bug: https://github.com/advisories/GHSA-grrh-mjp7-g52c
Bug-Debian: https://bugs.debian.org/983269
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27138
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27138
Gbp-Pq: Name CVE-2021-27138-2.patch
Simon Glass [Tue, 16 Feb 2021 00:08:11 +0000 (17:08 -0700)]
[PATCH] libfdt: Check for multiple/invalid root nodes
It is possible to construct a devicetree blob with multiple root nodes.
Update fdt_check_full() to check for this, along with a root node with an
invalid name.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
The test part has not been patched. It would require these patches as well:
https://github.com/u-boot/u-boot/commit/
fafafacb470b345f2f41b86e4633ef91a7c5ed23
https://github.com/u-boot/u-boot/commit/
d5f3aadacbc63df3b690d6fd9f0aa3f575b43356
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
124c255731c76a2b09587378b2bcce561bcd3f2d
Bug: https://github.com/advisories/GHSA-3w66-96j7-fmcp
Bug-Debian: https://bugs.debian.org/983270
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27097
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27097
Gbp-Pq: Name CVE-2021-27097-4.patch
Simon Glass [Tue, 16 Feb 2021 00:08:10 +0000 (17:08 -0700)]
image: Add an option to do a full check of the FIT
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.
Enable this by default if signature verification is enabled.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01
Bug: https://github.com/advisories/GHSA-3w66-96j7-fmcp
Bug-Debian: https://bugs.debian.org/983270
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27097
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27097
Gbp-Pq: Name CVE-2021-27097-3.patch
Simon Glass [Tue, 16 Feb 2021 00:08:09 +0000 (17:08 -0700)]
[PATCH] image: Adjust the workings of fit_check_format()
At present this function does not accept a size for the FIT. This means
that it must be read from the FIT itself, introducing potential security
risk. Update the function to include a size parameter, which can be
invalid, in which case fit_check_format() calculates it.
For now no callers pass the size, but this can be updated later.
Also adjust the return value to an error code so that all the different
types of problems can be distinguished by the user.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
This patch includes this one as well:
https://github.com/u-boot/u-boot/commit/
ea1a9ec5f430359720d9a0621ed1acfbba6a142a.patch
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
c5819701a3de61e2ba2ef7ad0b616565b32305e5
Origin: https://github.com/u-boot/u-boot/commit/
ea1a9ec5f430359720d9a0621ed1acfbba6a142a
Bug: https://github.com/advisories/GHSA-3w66-96j7-fmcp
Bug-Debian: https://bugs.debian.org/983270
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27097
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27097
Gbp-Pq: Name CVE-2021-27097-2.patch
Simon Glass [Tue, 16 Feb 2021 00:08:06 +0000 (17:08 -0700)]
fit: Don't allow verification of images with @ nodes
When searching for a node called 'fred', any unit address appended to the
name is ignored by libfdt, meaning that 'fred' can match 'fred@1'. This
means that we cannot be sure that the node originally intended is the one
that is used.
Disallow use of nodes with unit addresses.
Update the forge test also, since it uses @ addresses.
CVE-2021-27138
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
Bug: https://github.com/advisories/GHSA-grrh-mjp7-g52c
Bug-Debian: https://bugs.debian.org/983269
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27138
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27138
Gbp-Pq: Name CVE-2021-27138-1.patch
Simon Glass [Tue, 16 Feb 2021 00:08:05 +0000 (17:08 -0700)]
fdt_region: Check for a single root node of the correct name
At present fdt_find_regions() assumes that the FIT is a valid devicetree.
If the FIT has two root nodes this is currently not detected in this
function, nor does libfdt's fdt_check_full() notice. Also it is possible
for the root node to have a name even though it should not.
Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
detected.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
8a7d4cf9820ea16fabd25a6379351b4dc291204b
Bug: https://github.com/advisories/GHSA-3w66-96j7-fmcp
Bug-Debian: https://bugs.debian.org/983270
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27097
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27097
Gbp-Pq: Name CVE-2021-27097-1.patch
Richard Weinberger [Fri, 2 Aug 2024 20:05:09 +0000 (22:05 +0200)]
squashfs: Fix heap corruption in sqfs_search_dir()
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
048d795bb5b3d9c5701b4855f5e74bcf6849bf5e
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57259
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57259
Gbp-Pq: Name CVE-2024-57259.patch
Richard Weinberger [Fri, 2 Aug 2024 10:08:43 +0000 (12:08 +0200)]
x86: Fix ptrdiff_t for x86_64
sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
by LONG_MIN/LONG_MAX.
So, use the long type, also to match the rest of the Linux ecosystem.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
c17b2a05dd50a3ba437e6373093a0d6a359cdee0
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
Gbp-Pq: Name CVE-2024-57258-3.patch
Richard Weinberger [Fri, 2 Aug 2024 10:08:44 +0000 (12:08 +0200)]
dlmalloc: Fix integer overflow in request2size()
req is of type size_t, casting it to long opens the door
for an integer overflow.
Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
cause and overflow such that request2size() returns MINSIZE.
Fix by removing the cast.
The origin of the cast is unclear, it's in u-boot and ppcboot since ever
and predates the CVS history.
Doug Lea's original dlmalloc implementation also doesn't have it.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
8642b2178d2c4002c99a0b69a845a48f2ae2706f
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
Gbp-Pq: Name CVE-2024-57258-2.patch
Richard Weinberger [Fri, 2 Aug 2024 10:08:45 +0000 (12:08 +0200)]
dlmalloc: Fix integer overflow in sbrk()
Make sure that the new break is within mem_malloc_start
and mem_malloc_end before making progress.
ulong new = old + increment; can overflow for extremely large
increment values and memset() can get wrongly called.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
0a10b49206a29b4aa2f80233a3e53ca0466bb0b3
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
Gbp-Pq: Name CVE-2024-57258-1.patch
Richard Weinberger [Fri, 2 Aug 2024 16:36:47 +0000 (18:36 +0200)]
[PATCH] squashfs: Fix stack overflow while symlink resolving
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
4f5cc096bfd0a591f8a11e86999e3d90a9484c34
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57257
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57257
Gbp-Pq: Name CVE-2024-57257.patch
Richard Weinberger [Fri, 9 Aug 2024 09:54:28 +0000 (11:54 +0200)]
[PATCH] ext4: Fix integer overflow in ext4fs_read_symlink()
While zalloc() takes a size_t type, adding 1 to the le32 variable
will overflow.
A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
and as consequence zalloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
35f75d2a46e5859138c83a75cd2f4141c5479ab9
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57256
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57256
Gbp-Pq: Name CVE-2024-57256.patch
Richard Weinberger [Fri, 2 Aug 2024 16:36:44 +0000 (18:36 +0200)]
squashfs: Fix integer overflow in sqfs_resolve_symlink()
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
233945eba63e24061dffeeaeb7cd6fe985278356
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57255
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57255
Gbp-Pq: Name CVE-2024-57255.patch
Richard Weinberger [Fri, 2 Aug 2024 16:36:45 +0000 (18:36 +0200)]
squashfs: Fix integer overflow in sqfs_inode_size()
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
c8e929e5758999933f9e905049ef2bf3fe6b140d
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57254
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57254
Gbp-Pq: Name CVE-2024-57254.patch
Venkatesh Yadav Abbarapu [Thu, 3 Nov 2022 04:07:48 +0000 (09:37 +0530)]
[PATCH] usb: gadget: dfu: Fix the unchecked length field
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Note (<dleidert>: I'm not sure if this patch should be applied as well:
https://source.denx.de/u-boot/u-boot/-/commit/
86b6a38863bebb70a65a53f93a1ffafc4a472169
It is not related to the issue, though.
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
fbce985e28eaca3af82afecc11961aadaf971a7e
Bug: https://www.openwall.com/lists/oss-security/2022/07/08/2
Bug-Debian: https://bugs.debian.org/
1014959
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2347
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-2347
Gbp-Pq: Name CVE-2022-2347.patch
Andrea zi0Black Cappa [Wed, 18 May 2022 16:30:08 +0000 (16:30 +0000)]
net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
bdbf7a05e26f3c5fd437c99e2755ffde186ddc80
Bug: https://lists.denx.de/pipermail/u-boot/2022-May/483952.htmll
Bug-Debian: https://bugs.debian.org/
1014471
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30767
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-30767
Gbp-Pq: Name CVE-2022-30767.patch
Fabio Estevam [Thu, 26 May 2022 14:14:37 +0000 (11:14 -0300)]
net: Check for the minimum IP fragmented datagram size
Nicolas Bidron and Nicolas Guigo reported the two bugs below:
"
----------BUG 1----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE`
and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len`
comprised between `0` and `7`. This will ultimately result in a
truncated division by `8` resulting value of `0` forcing the hole
metadata and fragment to point to the same location. The subsequent
memcopy will overwrite the hole metadata with the fragment data. Through
a second fragment, this can be exploited to write to an arbitrary offset
controlled by that overwritten hole metadata value.
This bug is only exploitable locally as it requires crafting two packets
the first of which would most likely be dropped through routing due to
its unexpectedly low Total Length. However, this bug can potentially be
exploited to root linux based embedded devices locally.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows how
the attacker can control the value of `len` to be strictly lower than
`8` by issuing a packet with `ip_len` between `21` and `27`
(`IP_HDR_SIZE` has a value of `20`).
Also note that `offset8` here is `0` which leads to `thisfrag = payload`.
```C
} else if (h >= thisfrag) {
/* overlaps with initial part of the hole: move this hole */
newh = thisfrag + (len / 8);
*newh = *h;
h = newh;
if (h->next_hole)
payload[h->next_hole].prev_hole = (h - payload);
if (h->prev_hole)
payload[h->prev_hole].next_hole = (h - payload);
else
first_hole = (h - payload);
} else {
```
Lower down the same function, execution reaches the above code path.
Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note
that `first_hole` here is `0` since `h` and `payload` point to the same
location.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
Finally, in the above excerpt the `memcpy` overwrites the hole metadata
since `thisfrag` and `h` both point to the same location. The hole
metadata is effectively overwritten with arbitrary data from the
fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`,
`next_hole`, and `prev_hole` of the `first_hole` can be controlled by
the attacker.
Finally the arbitrary offset write occurs through a second fragment that
only needs to be crafted to write data in the hole pointed to by the
previously controlled hole metadata (`next_hole`) from the first packet.
### Recommendation
Handle cases where `len` is strictly lower than 8 by preventing the
overwrite of the hole metadata during the memcpy of the fragment. This
could be achieved by either:
* Moving the location where the hole metadata is stored when `len` is
lower than `8`.
* Or outright rejecting fragmented IP datagram with a Total Length
(`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP
datagram size (as defined as the minimum fragment of 8 octets in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 25).
----------BUG 2----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) lower than `IP_HDR_SIZE`
will lead to a negative value for `len` which will ultimately result in
a buffer overflow during the subsequent `memcpy` that uses `len` as it's
`count` parameter.
This bug is only exploitable on local ethernet as it requires crafting
an invalid packet to include an unexpected `ip_len` value in the IP UDP
header that's lower than the minimum accepted Total Length of a packet
(21 as defined in the IP Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791)). Such packet
would in all likelihood be dropped while being routed to its final
destination through most routing equipment and as such requires the
attacker to be in a local position in order to be exploited.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows
where the underflow to a negative `len` value occurs if `ip_len` is set
to a value strictly lower than 20 (`IP_HDR_SIZE` being 20). Also note
that in the above excerpt the `pkt_buff` buffer has a size of
`CONFIG_NET_MAXDEFRAG` which defaults to 16 KB but can range from 1KB to
64 KB depending on configurations.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
In the above excerpt the `memcpy` overflows the destination by
attempting to make a copy of nearly 4 gigabytes in a buffer that's
designed to hold `CONFIG_NET_MAXDEFRAG` bytes at most which leads to a DoS.
### Recommendation
Stop processing of the packet if `ip_len` is lower than 21 (as defined
by the minimum length of a data carrying datagram in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 34)."
Add a check for ip_len lesser than 28 and stop processing the packet
in this case.
Such a check covers the two reported bugs.
Reported-by: Nicolas Bidron <nicolas.bidron@nccgroup.com>
Signed-off-by: Fabio Estevam <festevam@denx.de>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
b85d130ea0cac152c21ec38ac9417b31d41b5552
Bug: https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/
Bug-Debian: https://bugs.debian.org/
1014470
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30790
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30552
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-30790
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-30552
Gbp-Pq: Name CVE-2022-30790.patch
Miquel Raynal [Thu, 9 Jun 2022 14:02:06 +0000 (16:02 +0200)]
[PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution
Following Jincheng's report, an out-of-band write leading to arbitrary
code execution is possible because on one side the squashfs logic
accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
accepts directory names up to 255 bytes long.
Prevent such an exploit from happening by capping directory name sizes
to 255. Use a define for this purpose so that developers can link the
limitation to its source and eventually kill it some day by dynamically
allocating this array (if ever desired).
Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
2ac0baab4aff1a0b45067d0b62f00c15f4e86856
Bug: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com/
Bug-Debian: https://bugs.debian.org/
1014528
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-33103
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-33103
Gbp-Pq: Name CVE-2022-33103.patch
Miquel Raynal [Mon, 27 Jun 2022 10:20:03 +0000 (12:20 +0200)]
[PATCH] fs/squashfs: Use kcalloc when relevant
A crafted squashfs image could embed a huge number of empty metadata
blocks in order to make the amount of malloc()'d memory overflow and be
much smaller than expected. Because of this flaw, any random code
positioned at the right location in the squashfs image could be memcpy'd
from the squashfs structures into U-Boot code location while trying to
access the rearmost blocks, before being executed.
In order to prevent this vulnerability from being exploited in eg. a
secure boot environment, let's add a check over the amount of data
that is going to be allocated. Such a check could look like:
if (!elem_size || n > SIZE_MAX / elem_size)
return NULL;
The right way to do it would be to enhance the calloc() implementation
but this is quite an impacting change for such a small fix. Another
solution would be to add the check before the malloc call in the
squashfs implementation, but this does not look right. So for now, let's
use the kcalloc() compatibility function from Linux, which has this
check.
Fixes: c5100613037 ("fs/squashfs: new filesystem")
Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
b6f4c757959f8850e1299a77c8e5713da78e8ec0
Bug: https://lists.denx.de/pipermail/u-boot/2022-June/487467.html
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-33967
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-33967
Gbp-Pq: Name CVE-2022-33967.patch
Nicolas Iooss [Fri, 10 Jun 2022 14:50:25 +0000 (14:50 +0000)]
[PATCH] i2c: fix stack buffer overflow vulnerability in i2c md command
When running "i2c md 0 0
80000100", the function do_i2c_md parses the
length into an unsigned int variable named length. The value is then
moved to a signed variable:
int nbytes = length;
#define DISP_LINE_LEN 16
int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
ret = dm_i2c_read(dev, addr, linebuf, linebytes);
On systems where integers are 32 bits wide, 0x80000100 is a negative
value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
0x80000100 instead of 16.
The consequence is that the function which reads from the i2c device
(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
but with a size parameter which is too large. In some cases, this could
trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
a 16-bit integer. This is because function i2c_transfer expects an
unsigned short length. In such a case, an attacker who can control the
response of an i2c device can overwrite the return address of a function
and execute arbitrary code through Return-Oriented Programming.
Fix this issue by using unsigned integers types in do_i2c_md. While at
it, make also alen unsigned, as signed sizes can cause vulnerabilities
when people forgot to check that they can be negative.
Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409
Bug: https://lists.denx.de/pipermail/u-boot/2022-June/486113.html
Bug-Debian: https://bugs.debian.org/
1014529
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-34835
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-34835
Gbp-Pq: Name CVE-2022-34835.patch
Heinrich Schuchardt [Sun, 24 Jan 2021 14:34:12 +0000 (14:34 +0000)]
[PATCH] efi_loader: switch to non-secure mode later
Some ARMv7 boards using PSCI require to be in secure-mode when booted via
'bootz' or 'bootm'. During distro-boot 'bootefi bootmgr' is called to check
if booting via UEFI is possible.
With the change we change the switch from secure mode to non-secure mode is
moved from the UEFI subsystem setup to just before calling StartImage().
Cc: Jernej Škrabec <jernej.skrabec@gmail.com>
Reported by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Gbp-Pq: Topic upstream
Gbp-Pq: Name 0001-efi_loader-switch-to-non-secure-mode-later.patch
Arnaud Ferraris [Wed, 2 Sep 2020 07:53:50 +0000 (09:53 +0200)]
[PATCH] configs: add PineTab defconfig
From
2c346cacb4b0841051bceb27a57058020860ab8b Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/project/uboot/list/?series=232582
The PineTab device-tree is already in u-boot, this commit adds the corresponding
defconfig, based on pinephone_defconfig.
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Gbp-Pq: Topic pinetab
Gbp-Pq: Name 0001-configs-add-PineTab-defconfig.patch
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
disable-preboot
Disable USE_PREBOOT as a workaround to boot failure triggered by
initializing USB. (Closes: #973323, #980434)
Reported upstream:
https://lists.denx.de/pipermail/u-boot/2021-January/438098.html
Gbp-Pq: Topic rk3399
Gbp-Pq: Name disable-preboot
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
bootz_and_raw_initrd
Enable booting of zImage/vmlinuz and initrd without requiring the use
of mkimage to create uImage/uInitrd.
Gbp-Pq: Topic n900
Gbp-Pq: Name bootz_and_raw_initrd.patch
David Abdurachmanov [Wed, 21 Aug 2019 19:07:20 +0000 (12:07 -0700)]
[PATCH] qemu-riscv64_smode, sifive-fu540: fix extlinux (define preboot)
From
3fc056f0b9f7c26e58a1e947c8c0184e55919614 Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/patch/
1151125/
Commit
37304aaf60bf92a5dc3ef222ba520698bd862a44 removed preboot
commands in RISC-V targets and broke extlinux support as reported
by Fu Wei <wefu@redhat.com>.
The patch finishes migration of CONFIG_USE_PREBOOT and CONFIG_REBOOT
to Kconfig.
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
Gbp-Pq: Topic riscv64
Gbp-Pq: Name qemu-riscv64_smode-sifive-fu540-fix-extlinux-define-.patch
Dongjin Kim [Sat, 28 Oct 2017 04:22:27 +0000 (00:22 -0400)]
[PATCH] arm: config: fix default console only to specify the device
This reverts commit
767edf0f6b3eaa0303f3fd6afdc14ddce0aca70c and restores
commit
232ed3ca534708527a9515c7c41bc3542949525c.
Debian's flash-kernel expect the console variable to just contain the device,
because it will set the bootargs to "console=${console}". So revert adding
"console=" to the console parameter, but also adjust the shipped bootscripts
for exynos boards to cope with it.
Bug-Debian: https://bugs.debian.org/920116
Signed-off-by: Benjamin Drung <bdrung@debian.org>
Gbp-Pq: Topic exynos
Gbp-Pq: Name 0001-arm-config-fix-default-console-only-to-specify-the-d.patch
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
test-imagetools-test-fixes
This patch allows testing in an alternate directory and also detects
failures to execute commands, treating that as a failure.
Gbp-Pq: Name test-imagetools-test-fixes
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
omap5_distro_bootcmd
Enable distro_bootcmd support (doc/README.distro) for omap5 targets.
Gbp-Pq: Topic am57xx
Gbp-Pq: Name omap5_distro_bootcmd
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
ensure-config-sandbox-for-make-env
Ensure that CONFIG_SANDBOX is set when running "make env", avoiding a
failure to build caused by config_distro_bootcmd.h following the wrong
codepath...
Gbp-Pq: Name ensure-config-sandbox-for-make-env.patch
Ian Campbell [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
Add spl/arndale-spl.bin rule
Gbp-Pq: Topic arndale
Gbp-Pq: Name board-spl-rule.diff
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
mx53loco
Enables support for ext4, the "load" command, and using bootz with raw initrds.
Gbp-Pq: Name mx53loco
Hector Oron [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
Enable generic tools build
Gbp-Pq: Name tools-generic-builds.patch
Vagrant Cascadian [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
add-debian-revision-to-u-boot-version
Add the debian revision to the U-boot version, which is displayed at
boot and can be helpful to determine which specific version is used.
Gbp-Pq: Name add-debian-revision-to-u-boot-version
Daniel Leidert [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
u-boot (2021.01+dfsg-5+deb11u2) bullseye-security; urgency=medium
* Non-maintainer upload by the Debian LTS team.
* d/patches/CVE-2021-27097-1.patch, d/patches/CVE-2021-27097-2.patch,
d/patches/CVE-2021-27097-3.patch, d/patches/CVE-2021-27097-4.patch: Add
patches to fix CVE-2021-27097.
- Fix mishandling of a modified FIT (closes: #983270).
* d/patches/CVE-2021-27138-1.patch, d/patches/CVE-2021-27138-2.patch: Add
patches to fix CVE-2021-27138.
- Fix mishandled use of unit addresses in a FIT (closes: #983269).
[dgit import unpatched u-boot 2021.01+dfsg-5+deb11u2]
Daniel Leidert [Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)]
Import u-boot_2021.01+dfsg-5+deb11u2.debian.tar.xz
[dgit import tarball u-boot 2021.01+dfsg-5+deb11u2 u-boot_2021.01+dfsg-5+deb11u2.debian.tar.xz]
Raspbian automatic forward porter [Sun, 4 May 2025 21:27:21 +0000 (22:27 +0100)]
Merge version 2021.01+dfsg-5+rpi1 and 2021.01+dfsg-5+deb11u1 to produce 2021.01+dfsg-5+rpi1+deb11u1
Daniel Leidert [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
Merge u-boot (2021.01+dfsg-5+deb11u1) import into refs/heads/workingbranch
Richard Weinberger [Fri, 2 Aug 2024 20:05:09 +0000 (22:05 +0200)]
squashfs: Fix heap corruption in sqfs_search_dir()
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
048d795bb5b3d9c5701b4855f5e74bcf6849bf5e
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57259
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57259
Gbp-Pq: Name CVE-2024-57259.patch
Richard Weinberger [Fri, 2 Aug 2024 10:08:43 +0000 (12:08 +0200)]
x86: Fix ptrdiff_t for x86_64
sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
by LONG_MIN/LONG_MAX.
So, use the long type, also to match the rest of the Linux ecosystem.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
c17b2a05dd50a3ba437e6373093a0d6a359cdee0
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
Gbp-Pq: Name CVE-2024-57258-3.patch
Richard Weinberger [Fri, 2 Aug 2024 10:08:44 +0000 (12:08 +0200)]
dlmalloc: Fix integer overflow in request2size()
req is of type size_t, casting it to long opens the door
for an integer overflow.
Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
cause and overflow such that request2size() returns MINSIZE.
Fix by removing the cast.
The origin of the cast is unclear, it's in u-boot and ppcboot since ever
and predates the CVS history.
Doug Lea's original dlmalloc implementation also doesn't have it.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
8642b2178d2c4002c99a0b69a845a48f2ae2706f
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
Gbp-Pq: Name CVE-2024-57258-2.patch
Richard Weinberger [Fri, 2 Aug 2024 10:08:45 +0000 (12:08 +0200)]
dlmalloc: Fix integer overflow in sbrk()
Make sure that the new break is within mem_malloc_start
and mem_malloc_end before making progress.
ulong new = old + increment; can overflow for extremely large
increment values and memset() can get wrongly called.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
0a10b49206a29b4aa2f80233a3e53ca0466bb0b3
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
Gbp-Pq: Name CVE-2024-57258-1.patch
Richard Weinberger [Fri, 2 Aug 2024 16:36:47 +0000 (18:36 +0200)]
[PATCH] squashfs: Fix stack overflow while symlink resolving
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
4f5cc096bfd0a591f8a11e86999e3d90a9484c34
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57257
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57257
Gbp-Pq: Name CVE-2024-57257.patch
Richard Weinberger [Fri, 9 Aug 2024 09:54:28 +0000 (11:54 +0200)]
[PATCH] ext4: Fix integer overflow in ext4fs_read_symlink()
While zalloc() takes a size_t type, adding 1 to the le32 variable
will overflow.
A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
and as consequence zalloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
35f75d2a46e5859138c83a75cd2f4141c5479ab9
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57256
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57256
Gbp-Pq: Name CVE-2024-57256.patch
Richard Weinberger [Fri, 2 Aug 2024 16:36:44 +0000 (18:36 +0200)]
squashfs: Fix integer overflow in sqfs_resolve_symlink()
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
233945eba63e24061dffeeaeb7cd6fe985278356
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57255
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57255
Gbp-Pq: Name CVE-2024-57255.patch
Richard Weinberger [Fri, 2 Aug 2024 16:36:45 +0000 (18:36 +0200)]
squashfs: Fix integer overflow in sqfs_inode_size()
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
c8e929e5758999933f9e905049ef2bf3fe6b140d
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/
1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57254
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57254
Gbp-Pq: Name CVE-2024-57254.patch
Venkatesh Yadav Abbarapu [Thu, 3 Nov 2022 04:07:48 +0000 (09:37 +0530)]
[PATCH] usb: gadget: dfu: Fix the unchecked length field
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Note (<dleidert>: I'm not sure if this patch should be applied as well:
https://source.denx.de/u-boot/u-boot/-/commit/
86b6a38863bebb70a65a53f93a1ffafc4a472169
It is not related to the issue, though.
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
fbce985e28eaca3af82afecc11961aadaf971a7e
Bug: https://www.openwall.com/lists/oss-security/2022/07/08/2
Bug-Debian: https://bugs.debian.org/
1014959
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2347
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-2347
Gbp-Pq: Name CVE-2022-2347.patch
Andrea zi0Black Cappa [Wed, 18 May 2022 16:30:08 +0000 (16:30 +0000)]
net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
bdbf7a05e26f3c5fd437c99e2755ffde186ddc80
Bug: https://lists.denx.de/pipermail/u-boot/2022-May/483952.htmll
Bug-Debian: https://bugs.debian.org/
1014471
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30767
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-30767
Gbp-Pq: Name CVE-2022-30767.patch
Fabio Estevam [Thu, 26 May 2022 14:14:37 +0000 (11:14 -0300)]
net: Check for the minimum IP fragmented datagram size
Nicolas Bidron and Nicolas Guigo reported the two bugs below:
"
----------BUG 1----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE`
and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len`
comprised between `0` and `7`. This will ultimately result in a
truncated division by `8` resulting value of `0` forcing the hole
metadata and fragment to point to the same location. The subsequent
memcopy will overwrite the hole metadata with the fragment data. Through
a second fragment, this can be exploited to write to an arbitrary offset
controlled by that overwritten hole metadata value.
This bug is only exploitable locally as it requires crafting two packets
the first of which would most likely be dropped through routing due to
its unexpectedly low Total Length. However, this bug can potentially be
exploited to root linux based embedded devices locally.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows how
the attacker can control the value of `len` to be strictly lower than
`8` by issuing a packet with `ip_len` between `21` and `27`
(`IP_HDR_SIZE` has a value of `20`).
Also note that `offset8` here is `0` which leads to `thisfrag = payload`.
```C
} else if (h >= thisfrag) {
/* overlaps with initial part of the hole: move this hole */
newh = thisfrag + (len / 8);
*newh = *h;
h = newh;
if (h->next_hole)
payload[h->next_hole].prev_hole = (h - payload);
if (h->prev_hole)
payload[h->prev_hole].next_hole = (h - payload);
else
first_hole = (h - payload);
} else {
```
Lower down the same function, execution reaches the above code path.
Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note
that `first_hole` here is `0` since `h` and `payload` point to the same
location.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
Finally, in the above excerpt the `memcpy` overwrites the hole metadata
since `thisfrag` and `h` both point to the same location. The hole
metadata is effectively overwritten with arbitrary data from the
fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`,
`next_hole`, and `prev_hole` of the `first_hole` can be controlled by
the attacker.
Finally the arbitrary offset write occurs through a second fragment that
only needs to be crafted to write data in the hole pointed to by the
previously controlled hole metadata (`next_hole`) from the first packet.
### Recommendation
Handle cases where `len` is strictly lower than 8 by preventing the
overwrite of the hole metadata during the memcpy of the fragment. This
could be achieved by either:
* Moving the location where the hole metadata is stored when `len` is
lower than `8`.
* Or outright rejecting fragmented IP datagram with a Total Length
(`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP
datagram size (as defined as the minimum fragment of 8 octets in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 25).
----------BUG 2----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) lower than `IP_HDR_SIZE`
will lead to a negative value for `len` which will ultimately result in
a buffer overflow during the subsequent `memcpy` that uses `len` as it's
`count` parameter.
This bug is only exploitable on local ethernet as it requires crafting
an invalid packet to include an unexpected `ip_len` value in the IP UDP
header that's lower than the minimum accepted Total Length of a packet
(21 as defined in the IP Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791)). Such packet
would in all likelihood be dropped while being routed to its final
destination through most routing equipment and as such requires the
attacker to be in a local position in order to be exploited.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows
where the underflow to a negative `len` value occurs if `ip_len` is set
to a value strictly lower than 20 (`IP_HDR_SIZE` being 20). Also note
that in the above excerpt the `pkt_buff` buffer has a size of
`CONFIG_NET_MAXDEFRAG` which defaults to 16 KB but can range from 1KB to
64 KB depending on configurations.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
In the above excerpt the `memcpy` overflows the destination by
attempting to make a copy of nearly 4 gigabytes in a buffer that's
designed to hold `CONFIG_NET_MAXDEFRAG` bytes at most which leads to a DoS.
### Recommendation
Stop processing of the packet if `ip_len` is lower than 21 (as defined
by the minimum length of a data carrying datagram in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 34)."
Add a check for ip_len lesser than 28 and stop processing the packet
in this case.
Such a check covers the two reported bugs.
Reported-by: Nicolas Bidron <nicolas.bidron@nccgroup.com>
Signed-off-by: Fabio Estevam <festevam@denx.de>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
b85d130ea0cac152c21ec38ac9417b31d41b5552
Bug: https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/
Bug-Debian: https://bugs.debian.org/
1014470
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30790
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-30552
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-30790
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-30552
Gbp-Pq: Name CVE-2022-30790.patch
Miquel Raynal [Thu, 9 Jun 2022 14:02:06 +0000 (16:02 +0200)]
[PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution
Following Jincheng's report, an out-of-band write leading to arbitrary
code execution is possible because on one side the squashfs logic
accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
accepts directory names up to 255 bytes long.
Prevent such an exploit from happening by capping directory name sizes
to 255. Use a define for this purpose so that developers can link the
limitation to its source and eventually kill it some day by dynamically
allocating this array (if ever desired).
Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
2ac0baab4aff1a0b45067d0b62f00c15f4e86856
Bug: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com/
Bug-Debian: https://bugs.debian.org/
1014528
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-33103
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-33103
Gbp-Pq: Name CVE-2022-33103.patch
Miquel Raynal [Mon, 27 Jun 2022 10:20:03 +0000 (12:20 +0200)]
[PATCH] fs/squashfs: Use kcalloc when relevant
A crafted squashfs image could embed a huge number of empty metadata
blocks in order to make the amount of malloc()'d memory overflow and be
much smaller than expected. Because of this flaw, any random code
positioned at the right location in the squashfs image could be memcpy'd
from the squashfs structures into U-Boot code location while trying to
access the rearmost blocks, before being executed.
In order to prevent this vulnerability from being exploited in eg. a
secure boot environment, let's add a check over the amount of data
that is going to be allocated. Such a check could look like:
if (!elem_size || n > SIZE_MAX / elem_size)
return NULL;
The right way to do it would be to enhance the calloc() implementation
but this is quite an impacting change for such a small fix. Another
solution would be to add the check before the malloc call in the
squashfs implementation, but this does not look right. So for now, let's
use the kcalloc() compatibility function from Linux, which has this
check.
Fixes: c5100613037 ("fs/squashfs: new filesystem")
Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
b6f4c757959f8850e1299a77c8e5713da78e8ec0
Bug: https://lists.denx.de/pipermail/u-boot/2022-June/487467.html
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-33967
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-33967
Gbp-Pq: Name CVE-2022-33967.patch
Nicolas Iooss [Fri, 10 Jun 2022 14:50:25 +0000 (14:50 +0000)]
[PATCH] i2c: fix stack buffer overflow vulnerability in i2c md command
When running "i2c md 0 0
80000100", the function do_i2c_md parses the
length into an unsigned int variable named length. The value is then
moved to a signed variable:
int nbytes = length;
#define DISP_LINE_LEN 16
int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
ret = dm_i2c_read(dev, addr, linebuf, linebytes);
On systems where integers are 32 bits wide, 0x80000100 is a negative
value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
0x80000100 instead of 16.
The consequence is that the function which reads from the i2c device
(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
but with a size parameter which is too large. In some cases, this could
trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
a 16-bit integer. This is because function i2c_transfer expects an
unsigned short length. In such a case, an attacker who can control the
response of an i2c device can overwrite the return address of a function
and execute arbitrary code through Return-Oriented Programming.
Fix this issue by using unsigned integers types in do_i2c_md. While at
it, make also alen unsigned, as signed sizes can cause vulnerabilities
when people forgot to check that they can be negative.
Signed-off-by: Nicolas Iooss <nicolas.iooss+uboot@ledger.fr>
Reviewed-by: Heiko Schocher <hs@denx.de>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/
8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409
Bug: https://lists.denx.de/pipermail/u-boot/2022-June/486113.html
Bug-Debian: https://bugs.debian.org/
1014529
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-34835
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2022-34835
Gbp-Pq: Name CVE-2022-34835.patch
Heinrich Schuchardt [Sun, 24 Jan 2021 14:34:12 +0000 (14:34 +0000)]
[PATCH] efi_loader: switch to non-secure mode later
Some ARMv7 boards using PSCI require to be in secure-mode when booted via
'bootz' or 'bootm'. During distro-boot 'bootefi bootmgr' is called to check
if booting via UEFI is possible.
With the change we change the switch from secure mode to non-secure mode is
moved from the UEFI subsystem setup to just before calling StartImage().
Cc: Jernej Škrabec <jernej.skrabec@gmail.com>
Reported by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Gbp-Pq: Topic upstream
Gbp-Pq: Name 0001-efi_loader-switch-to-non-secure-mode-later.patch
Arnaud Ferraris [Wed, 2 Sep 2020 07:53:50 +0000 (09:53 +0200)]
[PATCH] configs: add PineTab defconfig
From
2c346cacb4b0841051bceb27a57058020860ab8b Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/project/uboot/list/?series=232582
The PineTab device-tree is already in u-boot, this commit adds the corresponding
defconfig, based on pinephone_defconfig.
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Gbp-Pq: Topic pinetab
Gbp-Pq: Name 0001-configs-add-PineTab-defconfig.patch
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
disable-preboot
Disable USE_PREBOOT as a workaround to boot failure triggered by
initializing USB. (Closes: #973323, #980434)
Reported upstream:
https://lists.denx.de/pipermail/u-boot/2021-January/438098.html
Gbp-Pq: Topic rk3399
Gbp-Pq: Name disable-preboot
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
bootz_and_raw_initrd
Enable booting of zImage/vmlinuz and initrd without requiring the use
of mkimage to create uImage/uInitrd.
Gbp-Pq: Topic n900
Gbp-Pq: Name bootz_and_raw_initrd.patch
David Abdurachmanov [Wed, 21 Aug 2019 19:07:20 +0000 (12:07 -0700)]
[PATCH] qemu-riscv64_smode, sifive-fu540: fix extlinux (define preboot)
From
3fc056f0b9f7c26e58a1e947c8c0184e55919614 Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/patch/
1151125/
Commit
37304aaf60bf92a5dc3ef222ba520698bd862a44 removed preboot
commands in RISC-V targets and broke extlinux support as reported
by Fu Wei <wefu@redhat.com>.
The patch finishes migration of CONFIG_USE_PREBOOT and CONFIG_REBOOT
to Kconfig.
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
Gbp-Pq: Topic riscv64
Gbp-Pq: Name qemu-riscv64_smode-sifive-fu540-fix-extlinux-define-.patch
Dongjin Kim [Sat, 28 Oct 2017 04:22:27 +0000 (00:22 -0400)]
[PATCH] arm: config: fix default console only to specify the device
This reverts commit
767edf0f6b3eaa0303f3fd6afdc14ddce0aca70c and restores
commit
232ed3ca534708527a9515c7c41bc3542949525c.
Debian's flash-kernel expect the console variable to just contain the device,
because it will set the bootargs to "console=${console}". So revert adding
"console=" to the console parameter, but also adjust the shipped bootscripts
for exynos boards to cope with it.
Bug-Debian: https://bugs.debian.org/920116
Signed-off-by: Benjamin Drung <bdrung@debian.org>
Gbp-Pq: Topic exynos
Gbp-Pq: Name 0001-arm-config-fix-default-console-only-to-specify-the-d.patch
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
test-imagetools-test-fixes
This patch allows testing in an alternate directory and also detects
failures to execute commands, treating that as a failure.
Gbp-Pq: Name test-imagetools-test-fixes
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
omap5_distro_bootcmd
Enable distro_bootcmd support (doc/README.distro) for omap5 targets.
Gbp-Pq: Topic am57xx
Gbp-Pq: Name omap5_distro_bootcmd
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
ensure-config-sandbox-for-make-env
Ensure that CONFIG_SANDBOX is set when running "make env", avoiding a
failure to build caused by config_distro_bootcmd.h following the wrong
codepath...
Gbp-Pq: Name ensure-config-sandbox-for-make-env.patch
Ian Campbell [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
Add spl/arndale-spl.bin rule
Gbp-Pq: Topic arndale
Gbp-Pq: Name board-spl-rule.diff
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
mx53loco
Enables support for ext4, the "load" command, and using bootz with raw initrds.
Gbp-Pq: Name mx53loco
Hector Oron [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
Enable generic tools build
Gbp-Pq: Name tools-generic-builds.patch
Vagrant Cascadian [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
add-debian-revision-to-u-boot-version
Add the debian revision to the U-boot version, which is displayed at
boot and can be helpful to determine which specific version is used.
Gbp-Pq: Name add-debian-revision-to-u-boot-version
Daniel Leidert [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
u-boot (2021.01+dfsg-5+deb11u1) bullseye-security; urgency=medium
* Non-maintainer upload by the Debian LTS team.
* d/patches/CVE-2022-34835.patch: Add patch to fix CVE-2022-34835.
- Fix an integer signedness error and resultant stack-based buffer overflow
in the 'i2c md' command that enables the corruption of the return address
pointer of the do_i2c_md function (closes: #
1014529).
* d/patches/CVE-2022-33967.patch: Add patch to fix CVE-2022-33967.
- Fix a heap-based buffer overflow vulnerability due to a defect in the
metadata reading process which may lead to a denial-of-service (DoS)
condition or arbitrary code execution by loading a specially crafted
squashfs image.
* d/patches/CVE-2022-33103.patch: Add patch to fix CVE-2022-33103.
- Fix an an out-of-bounds write (closes: #
1014528).
* d/patches/CVE-2022-30790.patch: Add patch to fix CVE-2022-30790 and
CVE-2022-30552.
- Fix a a Buffer Overflow (closes: #
1014470).
* d/patches/CVE-2022-30767.patch: Add patch to fix CVE-2022-30767.
- Fix an unbounded memcpy with a failed length check, leading to a buffer
overflow. This issue exists due to an incorrect fix for CVE-2019-14196
(closes: #
1014471).
* d/patches/CVE-2022-2347.patch: Add patch to fix CVE-2022-2347.
- Fix an unchecked length field leading to a heap overflow
(closes: #
1014959).
* d/patches/CVE-2024-57254.patch: Add patch to fix CVE-2024-57254.
- Fix an integer overflow in sqfs_inode_size (closes:
1098254).
* d/patches/CVE-2024-57255.patch: Add patch to fix CVE-2024-57255.
- Fix an integer overflow in sqfs_resolve_symlink (closes: #
1098254).
* d/patches/CVE-2024-57256.patch: Add patch to fix CVE-2024-57256.
- Fix an integer overflow in ext4fs_read_symlink (closes: #
1098254).
* d/patches/CVE-2024-57257.patch: Add patch to fix CVE-2024-57257.
- Fix a stack consumption issue in sqfs_size possible with deep symlink
nesting (closes: #
1098254).
* d/patches/CVE-2024-57258-1.patch, d/patches/CVE-2024-57258-2.patch,
d/patches/CVE-2024-57258-3.patch: Add patches to fx CVE-2024-57258.
- Fix multiple integer overflows (closes: #
1098254).
* d/patches/CVE-2024-57259.patch: Add patch to fix CVE-2024-57259.
- Fix an off-by-one error resulting in a heap memory corruption in
sqfs_search_dir (closes: #
1098254).
[dgit import unpatched u-boot 2021.01+dfsg-5+deb11u1]
Daniel Leidert [Wed, 30 Apr 2025 23:19:02 +0000 (01:19 +0200)]
Import u-boot_2021.01+dfsg-5+deb11u1.debian.tar.xz
[dgit import tarball u-boot 2021.01+dfsg-5+deb11u1 u-boot_2021.01+dfsg-5+deb11u1.debian.tar.xz]
Raspbian automatic forward porter [Fri, 4 Jun 2021 00:18:15 +0000 (01:18 +0100)]
Merge version 2021.01+dfsg-4+rpi1 and 2021.01+dfsg-5 to produce 2021.01+dfsg-5+rpi1
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
Merge u-boot (2021.01+dfsg-5) import into refs/heads/workingbranch
Heinrich Schuchardt [Sun, 24 Jan 2021 14:34:12 +0000 (14:34 +0000)]
[PATCH] efi_loader: switch to non-secure mode later
Some ARMv7 boards using PSCI require to be in secure-mode when booted via
'bootz' or 'bootm'. During distro-boot 'bootefi bootmgr' is called to check
if booting via UEFI is possible.
With the change we change the switch from secure mode to non-secure mode is
moved from the UEFI subsystem setup to just before calling StartImage().
Cc: Jernej Škrabec <jernej.skrabec@gmail.com>
Reported by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Gbp-Pq: Topic upstream
Gbp-Pq: Name 0001-efi_loader-switch-to-non-secure-mode-later.patch
Arnaud Ferraris [Wed, 2 Sep 2020 07:53:50 +0000 (09:53 +0200)]
[PATCH] configs: add PineTab defconfig
From
2c346cacb4b0841051bceb27a57058020860ab8b Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/project/uboot/list/?series=232582
The PineTab device-tree is already in u-boot, this commit adds the corresponding
defconfig, based on pinephone_defconfig.
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Gbp-Pq: Topic pinetab
Gbp-Pq: Name 0001-configs-add-PineTab-defconfig.patch
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
disable-preboot
Disable USE_PREBOOT as a workaround to boot failure triggered by
initializing USB. (Closes: #973323, #980434)
Reported upstream:
https://lists.denx.de/pipermail/u-boot/2021-January/438098.html
Gbp-Pq: Topic rk3399
Gbp-Pq: Name disable-preboot
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
bootz_and_raw_initrd
Enable booting of zImage/vmlinuz and initrd without requiring the use
of mkimage to create uImage/uInitrd.
Gbp-Pq: Topic n900
Gbp-Pq: Name bootz_and_raw_initrd.patch
David Abdurachmanov [Wed, 21 Aug 2019 19:07:20 +0000 (12:07 -0700)]
[PATCH] qemu-riscv64_smode, sifive-fu540: fix extlinux (define preboot)
From
3fc056f0b9f7c26e58a1e947c8c0184e55919614 Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/patch/
1151125/
Commit
37304aaf60bf92a5dc3ef222ba520698bd862a44 removed preboot
commands in RISC-V targets and broke extlinux support as reported
by Fu Wei <wefu@redhat.com>.
The patch finishes migration of CONFIG_USE_PREBOOT and CONFIG_REBOOT
to Kconfig.
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
Gbp-Pq: Topic riscv64
Gbp-Pq: Name qemu-riscv64_smode-sifive-fu540-fix-extlinux-define-.patch
Dongjin Kim [Sat, 28 Oct 2017 04:22:27 +0000 (00:22 -0400)]
[PATCH] arm: config: fix default console only to specify the device
This reverts commit
767edf0f6b3eaa0303f3fd6afdc14ddce0aca70c and restores
commit
232ed3ca534708527a9515c7c41bc3542949525c.
Debian's flash-kernel expect the console variable to just contain the device,
because it will set the bootargs to "console=${console}". So revert adding
"console=" to the console parameter, but also adjust the shipped bootscripts
for exynos boards to cope with it.
Bug-Debian: https://bugs.debian.org/920116
Signed-off-by: Benjamin Drung <bdrung@debian.org>
Gbp-Pq: Topic exynos
Gbp-Pq: Name 0001-arm-config-fix-default-console-only-to-specify-the-d.patch
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
test-imagetools-test-fixes
This patch allows testing in an alternate directory and also detects
failures to execute commands, treating that as a failure.
Gbp-Pq: Name test-imagetools-test-fixes
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
omap5_distro_bootcmd
Enable distro_bootcmd support (doc/README.distro) for omap5 targets.
Gbp-Pq: Topic am57xx
Gbp-Pq: Name omap5_distro_bootcmd
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
ensure-config-sandbox-for-make-env
Ensure that CONFIG_SANDBOX is set when running "make env", avoiding a
failure to build caused by config_distro_bootcmd.h following the wrong
codepath...
Gbp-Pq: Name ensure-config-sandbox-for-make-env.patch
Ian Campbell [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
Add spl/arndale-spl.bin rule
Gbp-Pq: Topic arndale
Gbp-Pq: Name board-spl-rule.diff
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
mx53loco
Enables support for ext4, the "load" command, and using bootz with raw initrds.
Gbp-Pq: Name mx53loco
Hector Oron [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
Enable generic tools build
Gbp-Pq: Name tools-generic-builds.patch
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
add-debian-revision-to-u-boot-version
Add the debian revision to the U-boot version, which is displayed at
boot and can be helpful to determine which specific version is used.
Gbp-Pq: Name add-debian-revision-to-u-boot-version
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
u-boot (2021.01+dfsg-5) unstable; urgency=medium
* debian/patches: Fix boot failure caused by efi loader switching to
non-secure mode too early. Thanks to Bastian Germann and Heinrich
Schuchardt. (Closes: #988217)
[dgit import unpatched u-boot 2021.01+dfsg-5]
Vagrant Cascadian [Sun, 23 May 2021 04:32:45 +0000 (05:32 +0100)]
Import u-boot_2021.01+dfsg-5.debian.tar.xz
[dgit import tarball u-boot 2021.01+dfsg-5 u-boot_2021.01+dfsg-5.debian.tar.xz]
Peter Michael Green [Sat, 10 Apr 2021 16:32:31 +0000 (16:32 +0000)]
Don't build powerpc qemu target, the nessacery cross-compiler
failed to build in raspbian.
Peter Michael Green [Thu, 8 Apr 2021 12:45:39 +0000 (12:45 +0000)]
Manual merge of version 2020.07+dfsg-2+rpi1 and 2021.01+dfsg-4 to produce 2021.01+dfsg-4+rpi1
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
Merge u-boot (2021.01+dfsg-4) import into refs/heads/workingbranch
Arnaud Ferraris [Wed, 2 Sep 2020 07:53:50 +0000 (09:53 +0200)]
[PATCH] configs: add PineTab defconfig
From
2c346cacb4b0841051bceb27a57058020860ab8b Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/project/uboot/list/?series=232582
The PineTab device-tree is already in u-boot, this commit adds the corresponding
defconfig, based on pinephone_defconfig.
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Gbp-Pq: Topic pinetab
Gbp-Pq: Name 0001-configs-add-PineTab-defconfig.patch
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
disable-preboot
Disable USE_PREBOOT as a workaround to boot failure triggered by
initializing USB. (Closes: #973323, #980434)
Reported upstream:
https://lists.denx.de/pipermail/u-boot/2021-January/438098.html
Gbp-Pq: Topic rk3399
Gbp-Pq: Name disable-preboot
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
bootz_and_raw_initrd
Enable booting of zImage/vmlinuz and initrd without requiring the use
of mkimage to create uImage/uInitrd.
Gbp-Pq: Topic n900
Gbp-Pq: Name bootz_and_raw_initrd.patch
David Abdurachmanov [Wed, 21 Aug 2019 19:07:20 +0000 (12:07 -0700)]
[PATCH] qemu-riscv64_smode, sifive-fu540: fix extlinux (define preboot)
From
3fc056f0b9f7c26e58a1e947c8c0184e55919614 Mon Sep 17 00:00:00 2001
Forwarded: https://patchwork.ozlabs.org/patch/
1151125/
Commit
37304aaf60bf92a5dc3ef222ba520698bd862a44 removed preboot
commands in RISC-V targets and broke extlinux support as reported
by Fu Wei <wefu@redhat.com>.
The patch finishes migration of CONFIG_USE_PREBOOT and CONFIG_REBOOT
to Kconfig.
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
Gbp-Pq: Topic riscv64
Gbp-Pq: Name qemu-riscv64_smode-sifive-fu540-fix-extlinux-define-.patch
Dongjin Kim [Sat, 28 Oct 2017 04:22:27 +0000 (00:22 -0400)]
[PATCH] arm: config: fix default console only to specify the device
This reverts commit
767edf0f6b3eaa0303f3fd6afdc14ddce0aca70c and restores
commit
232ed3ca534708527a9515c7c41bc3542949525c.
Debian's flash-kernel expect the console variable to just contain the device,
because it will set the bootargs to "console=${console}". So revert adding
"console=" to the console parameter, but also adjust the shipped bootscripts
for exynos boards to cope with it.
Bug-Debian: https://bugs.debian.org/920116
Signed-off-by: Benjamin Drung <bdrung@debian.org>
Gbp-Pq: Topic exynos
Gbp-Pq: Name 0001-arm-config-fix-default-console-only-to-specify-the-d.patch
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
test-imagetools-test-fixes
This patch allows testing in an alternate directory and also detects
failures to execute commands, treating that as a failure.
Gbp-Pq: Name test-imagetools-test-fixes
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
omap5_distro_bootcmd
Enable distro_bootcmd support (doc/README.distro) for omap5 targets.
Gbp-Pq: Topic am57xx
Gbp-Pq: Name omap5_distro_bootcmd
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
ensure-config-sandbox-for-make-env
Ensure that CONFIG_SANDBOX is set when running "make env", avoiding a
failure to build caused by config_distro_bootcmd.h following the wrong
codepath...
Gbp-Pq: Name ensure-config-sandbox-for-make-env.patch
Ian Campbell [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
Add spl/arndale-spl.bin rule
Gbp-Pq: Topic arndale
Gbp-Pq: Name board-spl-rule.diff
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
mx53loco
Enables support for ext4, the "load" command, and using bootz with raw initrds.
Gbp-Pq: Name mx53loco
Hector Oron [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
Enable generic tools build
Gbp-Pq: Name tools-generic-builds.patch
Vagrant Cascadian [Fri, 12 Mar 2021 23:00:43 +0000 (23:00 +0000)]
add-debian-revision-to-u-boot-version
Add the debian revision to the U-boot version, which is displayed at
boot and can be helpful to determine which specific version is used.
Gbp-Pq: Name add-debian-revision-to-u-boot-version
projects / u-boot.git / log