From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id C1360C433EF
	for <u-boot@archiver.kernel.org>; Wed,  1 Jun 2022 14:18:53 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 571DF8427B;
	Wed,  1 Jun 2022 16:18:51 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=konsulko.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=konsulko.com header.i=@konsulko.com header.b="fqweOXpE";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 6808E84284; Wed,  1 Jun 2022 16:18:49 +0200 (CEST)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com
 [IPv6:2607:f8b0:4864:20::82c])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id C06C28421F
 for <u-boot@lists.denx.de>; Wed,  1 Jun 2022 16:18:46 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=konsulko.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=trini@konsulko.com
Received: by mail-qt1-x82c.google.com with SMTP id k6so1243980qtq.3
 for <u-boot@lists.denx.de>; Wed, 01 Jun 2022 07:18:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to;
 bh=9hbehr1djMd5v9GozUgma+Ahz0gXWUG2BDomETvwDFk=;
 b=fqweOXpE2X0lIaw/0Dy5b64Nov0b2V4qczN/afBp9C7FrRBuYttP82EDcyKGU8Nwmi
 Sm/WFRu28Ns9aO5978xUH5kw/uKliPkPOzf4Ci5h643Ye5/WwEHEGw8OSdRnFYg9RKpc
 8c3b5OKMxnqBKoaiEs42lf/YsHQCtkR+03Tug=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to;
 bh=9hbehr1djMd5v9GozUgma+Ahz0gXWUG2BDomETvwDFk=;
 b=u6487EdnI/bYqexfkWxF1A+/lMZnq3FjtCfBceMk6MX/oure28bDYo8J+H5c65/mU+
 9owMfQOuTyp5QCsOhHJlfAMftG13ZhAbRFVhP6hszPpiSGBTmV5B0L/7Tfh0tciEwOSH
 CJ4MCasfO0Xrav/hs3NEKW53d6JNxzU9xq707jp4b7TAYKysVtHUSQgZnXkWrSzTdRfD
 apAYA659egl6SPjCM3Rkg1qTrXiYCNmvKIgBpUsx+9BfyNR5DQ01E+CKH3H1L51MuX2P
 f47z0Ii62WGiJOJyVX5v8DFGkdHGeZNXVl5A1m5q+awshyOM1lPjjk7HQjWnZat14rDt
 lNsA==
X-Gm-Message-State: AOAM5338kgc9qsybEwqleT0zPNmCtF0SDLpaIiBXzoMTKR+2R8ong973
 kVEYzmOGFVk+Vz8KvdhVcELkyA==
X-Google-Smtp-Source: ABdhPJxrMwhBvHtUf3RWPjAQXf0f49Q2vHz3QW9xXi3KFaZq+Rl6nFoLwofhvyT3JajC5Z5/q3b2jw==
X-Received: by 2002:a05:622a:18f:b0:302:746e:8894 with SMTP id
 s15-20020a05622a018f00b00302746e8894mr12355qtw.285.1654093125397; 
 Wed, 01 Jun 2022 07:18:45 -0700 (PDT)
Received: from bill-the-cat
 (2603-6081-7b00-25fd-0000-0000-0000-1003.res6.spectrum.com.
 [2603:6081:7b00:25fd::1003]) by smtp.gmail.com with ESMTPSA id
 cb24-20020a05622a1f9800b002fc8a2c14c0sm1233207qtb.66.2022.06.01.07.18.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 01 Jun 2022 07:18:44 -0700 (PDT)
Date: Wed, 1 Jun 2022 10:18:42 -0400
From: Tom Rini <trini@konsulko.com>
To: Jincheng Wang <jc.w4ng@gmail.com>,
 Joao Marcos Costa <joaomarcos.costa@bootlin.com>,
 Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
 Miquel Raynal <miquel.raynal@bootlin.com>
Cc: u-boot@lists.denx.de
Subject: Re: Out of bounds write vulnerability in the sqfs_readdir() function
Message-ID: <20220601141842.GF25375@bill-the-cat>
References: <CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="Y974o0GblB/Ae/yP"
Content-Disposition: inline
In-Reply-To: <CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean


--Y974o0GblB/Ae/yP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, May 26, 2022 at 04:28:07PM +0800, Jincheng Wang wrote:

> Hello u-boot list,
>=20
> I found the sqfs_readdir() function is vulnerable to Out-of-Bound write,
> which will cause arbitrary code execution.
>=20
> ```
> int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
> {
> ......
> /* Set entry name */
>=20
> strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
> dent->name[dirs->entry->name_size + 1] =3D '\0';
>=20
> offset =3D dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
> dirs->entry_count--;
> .......
> }
>=20
>=20
> struct squashfs_dir_stream {
> struct fs_dir_stream fs_dirs;
> struct fs_dirent dentp;
> size_t size;
> int entry_count;
> struct squashfs_directory_header *dir_header;
> struct squashfs_directory_entry *entry;
> ......
> };
>=20
>=20
> static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char
> **token_list,
>   int token_count, u32 *m_list, int m_count)
> {
> ......
> while (!sqfs_readdir(dirsp, &dent)) {
> ret =3D strcmp(dent->name, token_list[j]);
> if (!ret)
> break;
> free(dirs->entry);
> dirs->entry =3D NULL;
> }
> ......
> }
>=20
> ```
>=20
> The sqfs_readdir() function  use strncpy to  set entry name, while the ty=
pe
> of dirs->entry->name_size is defined as "u16" in the struct
> squashfs_directory_entry
> and dent->name
> is defined as "char[256]" in the struct fs_dirent.
>=20
> We can overwrite *dirs_header and *entry in the struct squashfs_dir_strea=
m,
> so that  we can use the sqfs_search_dir() function to free a fake
> chunk which causes arbitrary code execution.
> You can see the Poc in the attachment.
>=20
>      host bind 0 test4.sqfs
>      ls host 0 /dirs

Adding the listed maintainers...

--=20
Tom

--Y974o0GblB/Ae/yP
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmKXdT8ACgkQFHw5/5Y0
tyzQYAv/WTUYcKav3Qs1MRW/Ams8c7MWaiYjsgUxjTFbsJW4kM/DwLLi91IqkOhV
cdI2dtLJdYY4x/S+4ZEadcOS7pIYJ35rab92961OXh9/l4qI/1gK67SUa9BWs2Oj
+6n3Z04SGgtRMJrqp7NIY4Ho55VyV9W0JJgCyq19YxZJ226kz0Nu5SNEGg8fyIYa
LlhtuJfo/2NqWUfHU1Cyz6jfGStiqnhABj97HEHNn2Lzgn8B4FMFDpSP9tPTq6BK
+b4h38HpZruJCBwPd/uxX1QewXqndrZz/qsGJGYK9pxT/HBlqcJcAy9i4qhEC1YJ
GcRCaF6HdAqTYm3FBgE+W5fu8iozDuQwFG81ZCSCqhcurj7SI2gaikl8IU/V7NOZ
5WcuuYSk0keJ4gQOoCGtVhAbCExACXE1j6tnto1toDFvtrRloZ78KFnjnYp4+wh5
xT2K1sGHRsQLsbTlmdC90kHz43t8MCNdHTGcAQBTwlN9qlbOaoWLgkD4ZUIzI334
Io64t4/w
=u6+9
-----END PGP SIGNATURE-----

--Y974o0GblB/Ae/yP--