All of
 help / color / mirror / Atom feed
From: Jincheng Wang <>
Subject: Out of bounds write vulnerability in the sqfs_readdir() function
Date: Thu, 26 May 2022 16:28:07 +0800	[thread overview]
Message-ID: <> (raw)

[-- Attachment #1: Type: text/plain, Size: 1458 bytes --]

Hello u-boot list,

I found the sqfs_readdir() function is vulnerable to Out-of-Bound write,
which will cause arbitrary code execution.

int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
/* Set entry name */

strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
dent->name[dirs->entry->name_size + 1] = '\0';

offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;

struct squashfs_dir_stream {
struct fs_dir_stream fs_dirs;
struct fs_dirent dentp;
size_t size;
int entry_count;
struct squashfs_directory_header *dir_header;
struct squashfs_directory_entry *entry;

static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char
  int token_count, u32 *m_list, int m_count)
while (!sqfs_readdir(dirsp, &dent)) {
ret = strcmp(dent->name, token_list[j]);
if (!ret)
dirs->entry = NULL;


The sqfs_readdir() function  use strncpy to  set entry name, while the type
of dirs->entry->name_size is defined as "u16" in the struct
and dent->name
is defined as "char[256]" in the struct fs_dirent.

We can overwrite *dirs_header and *entry in the struct squashfs_dir_stream,
so that  we can use the sqfs_search_dir() function to free a fake
chunk which causes arbitrary code execution.
You can see the Poc in the attachment.

     host bind 0 test4.sqfs
     ls host 0 /dirs

[-- Attachment #2: test4.sqfs --]
[-- Type: application/octet-stream, Size: 4096 bytes --]

             reply	other threads:[~2022-05-26  8:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-26  8:28 Jincheng Wang [this message]
2022-06-01 14:18 ` Tom Rini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \
    --subject='Re: Out of bounds write vulnerability in the sqfs_readdir() function' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.