diff options
Diffstat (limited to 'poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch')
| -rw-r--r-- | poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch new file mode 100644 index 0000000000..9ed77d921f --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch @@ -0,0 +1,80 @@ +From 5782f0d47df99dcfc743aa138361336e9a4ac966 Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@linux.alibaba.com> +Date: Fri, 2 Jun 2023 13:52:56 +0800 +Subject: [PATCH 1/4] erofs-utils: fsck: block insane long paths when + extracting images + +Since some crafted EROFS filesystem images could have insane deep +hierarchy (or may form directory loops) which triggers the +PATH_MAX-sized path buffer OR stack overflow. + +Actually some crafted images cannot be deemed as real corrupted +images but over-PATH_MAX paths are not something that we'd like to +support for now. + +CVE: CVE-2023-33551 +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551 +Reported-by: Chaoming Yang <lometsj@live.com> +Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs") +Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()") +Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") +Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> +Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=27aeef179bf17d5f1d98f827e93d24839a6d4176] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 5a2f659..2b6a6dd 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -679,28 +679,35 @@ again: + static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx) + { + int ret; +- size_t prev_pos = fsckcfg.extract_pos; ++ size_t prev_pos, curr_pos; + + if (ctx->dot_dotdot) + return 0; + +- if (fsckcfg.extract_path) { +- size_t curr_pos = prev_pos; ++ prev_pos = fsckcfg.extract_pos; ++ curr_pos = prev_pos; ++ ++ if (prev_pos + ctx->de_namelen >= PATH_MAX) { ++ erofs_err("unable to fsck since the path is too long (%u)", ++ curr_pos + ctx->de_namelen); ++ return -EOPNOTSUPP; ++ } + ++ if (fsckcfg.extract_path) { + fsckcfg.extract_path[curr_pos++] = '/'; + strncpy(fsckcfg.extract_path + curr_pos, ctx->dname, + ctx->de_namelen); + curr_pos += ctx->de_namelen; + fsckcfg.extract_path[curr_pos] = '\0'; +- fsckcfg.extract_pos = curr_pos; ++ } else { ++ curr_pos += ctx->de_namelen; + } +- ++ fsckcfg.extract_pos = curr_pos; + ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid); + +- if (fsckcfg.extract_path) { ++ if (fsckcfg.extract_path) + fsckcfg.extract_path[prev_pos] = '\0'; +- fsckcfg.extract_pos = prev_pos; +- } ++ fsckcfg.extract_pos = prev_pos; + return ret; + } + +-- +2.25.1 + |