On Fri, Jun 24, 2022 at 09:27:29PM +0200, Miquel Raynal wrote: > A crafted squashfs image could embed a huge number of empty metadata > blocks in order to make the amount of malloc()'d memory overflow and be > much smaller than expected. Because of this flaw, any random code > positioned at the right location in the squashfs image could be memcpy'd > from the squashfs structures into U-Boot code location while trying to > access the rearmost blocks, before being executed. > > In order to prevent this vulnerability from being exploited in eg. a > secure boot environment, let's add a check over the amount of data > that is going to be allocated. Such a check could look like: > > if (!elem_size || n > SIZE_MAX / elem_size) > return NULL; > > The right way to do it would be to enhance the calloc() implementation > but this is quite an impacting change for such a small fix. Another > solution would be to add the check before the malloc call in the > squashfs implementation, but this does not look right. So for now, let's > use the kcalloc() compatibility function from Linux, which has this > check. > > Reported-by: Tatsuhiko Yasumatsu <tatsuhiko.yasuma...@sony.com> > Signed-off-by: Miquel Raynal <miquel.ray...@bootlin.com>
Reviewed-by: Tom Rini <tr...@konsulko.com> -- Tom
signature.asc
Description: PGP signature