u-boot.git/fs, branch v2022.07 Unnamed repository; edit this file 'description' to name the repository. fs/squashfs: Use kcalloc when relevant 2022-06-28T19:51:56+00:00 Miquel Raynal miquel.raynal@bootlin.com 2022-06-27T10:20:03+00:00 7f7fb9937c6cb49dd35153bd6708872b390b0a44 A crafted squashfs image could embed a huge number of empty metadata blocks in order to make the amount of malloc()'d memory overflow and be much smaller than expected. Because of this flaw, any random code positioned at the right location in the squashfs image could be memcpy'd from the squashfs structures into U-Boot code location while trying to access the rearmost blocks, before being executed. In order to prevent this vulnerability from being exploited in eg. a secure boot environment, let's add a check over the amount of data that is going to be allocated. Such a check could look like: if (!elem_size || n > SIZE_MAX / elem_size) return NULL; The right way to do it would be to enhance the calloc() implementation but this is quite an impacting change for such a small fix. Another solution would be to add the check before the malloc call in the squashfs implementation, but this does not look right. So for now, let's use the kcalloc() compatibility function from Linux, which has this check. Fixes: c5100613037 ("fs/squashfs: new filesystem") Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com> 
A crafted squashfs image could embed a huge number of empty metadata
blocks in order to make the amount of malloc()'d memory overflow and be
much smaller than expected. Because of this flaw, any random code
positioned at the right location in the squashfs image could be memcpy'd
from the squashfs structures into U-Boot code location while trying to
access the rearmost blocks, before being executed.

In order to prevent this vulnerability from being exploited in eg. a
secure boot environment, let's add a check over the amount of data
that is going to be allocated. Such a check could look like:

if (!elem_size || n > SIZE_MAX / elem_size)
	return NULL;

The right way to do it would be to enhance the calloc() implementation
but this is quite an impacting change for such a small fix. Another
solution would be to add the check before the malloc call in the
squashfs implementation, but this does not look right. So for now, let's
use the kcalloc() compatibility function from Linux, which has this
check.

Fixes: c5100613037 ("fs/squashfs: new filesystem")
Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
fs/squashfs: sqfs_read: Prevent arbitrary code execution 2022-06-16T19:22:55+00:00 Miquel Raynal miquel.raynal@bootlin.com 2022-06-09T14:02:06+00:00 2ac0baab4aff1a0b45067d0b62f00c15f4e86856 Following Jincheng's report, an out-of-band write leading to arbitrary code execution is possible because on one side the squashfs logic accepts directory names up to 65535 bytes (u16), while U-Boot fs logic accepts directory names up to 255 bytes long. Prevent such an exploit from happening by capping directory name sizes to 255. Use a define for this purpose so that developers can link the limitation to its source and eventually kill it some day by dynamically allocating this array (if ever desired). Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com Reported-by: Jincheng Wang <jc.w4ng@gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Tested-by: Jincheng Wang <jc.w4ng@gmail.com> 
Following Jincheng's report, an out-of-band write leading to arbitrary
code execution is possible because on one side the squashfs logic
accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
accepts directory names up to 255 bytes long.

Prevent such an exploit from happening by capping directory name sizes
to 255. Use a define for this purpose so that developers can link the
limitation to its source and eventually kill it some day by dynamically
allocating this array (if ever desired).

Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
squashfs: Fix compilation on big endian systems 2022-06-03T15:15:24+00:00 Pali Rohár pali@kernel.org 2022-04-06T21:31:53+00:00 9320db0926ae4c2a24015298e3b374a07023267e Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> 
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
ubifs: Fix lockup/crash when reading files 2022-06-03T14:23:22+00:00 Pali Rohár pali@kernel.org 2022-05-17T20:45:28+00:00 339f652992919be11e3f1b791515140de646a3ef Commit b1a14f8a1c2e ("UBIFS: Change ubifsload to not read beyond the requested size") added optimization to do not read more bytes than it is really needed. But this commit introduced incorrect handling of the hole at the end of file. This logic cause U-Boot to crash or lockup when trying to read from the ubifs filesystem. When read_block() call returns -ENOENT error (not an error, but the hole) then dn-> structure is not filled and contain garbage. So using of dn->size for memcpy() argument cause that U-Boot tries to copy unspecified amount of bytes from possible unmapped memory. Which randomly cause lockup of P2020 CPU. Fix this issue by copying UBIFS_BLOCK_SIZE bytes from read buffer when dn->size is not available. UBIFS_BLOCK_SIZE is the size of the buffer itself and read_block() fills buffer by zeros when it returns -ENOENT. This patch fixes ubifsload on P2020. Fixes: b1a14f8a1c2e ("UBIFS: Change ubifsload to not read beyond the requested size") Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> 
Commit b1a14f8a1c2e ("UBIFS: Change ubifsload to not read beyond the
requested size") added optimization to do not read more bytes than it is
really needed. But this commit introduced incorrect handling of the hole at
the end of file. This logic cause U-Boot to crash or lockup when trying to
read from the ubifs filesystem.

When read_block() call returns -ENOENT error (not an error, but the hole)
then dn-> structure is not filled and contain garbage. So using of dn->size
for memcpy() argument cause that U-Boot tries to copy unspecified amount of
bytes from possible unmapped memory. Which randomly cause lockup of P2020
CPU.

Fix this issue by copying UBIFS_BLOCK_SIZE bytes from read buffer when
dn->size is not available. UBIFS_BLOCK_SIZE is the size of the buffer
itself and read_block() fills buffer by zeros when it returns -ENOENT.

This patch fixes ubifsload on P2020.

Fixes: b1a14f8a1c2e ("UBIFS: Change ubifsload to not read beyond the requested size")
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
fs/squashfs: use lldiv function for math 2022-05-23T13:33:10+00:00 Sean Nyekjaer sean.nyekjaer.ext@siemensgamesa.com 2022-05-12T18:37:14+00:00 92080c6ef6c753ca69c53f191a6baef53f98bd6b When compling for x86: ld.bfd: fs/squashfs/sqfs.o: in function `sqfs_read': u-boot/fs/squashfs/sqfs.c:1443: undefined reference to `__udivmoddi4' ld.bfd: u-boot/fs/squashfs/sqfs.c:1521: undefined reference to `__udivmoddi4' Signed-off-by: Sean Nyekjaer <sean.nyekjaer.ext@siemensgamesa.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Reviewed-by: Pali Rohár <pali@kernel.org> 
When compling for x86:
ld.bfd: fs/squashfs/sqfs.o: in function `sqfs_read':
u-boot/fs/squashfs/sqfs.c:1443: undefined reference to `__udivmoddi4'
ld.bfd: u-boot/fs/squashfs/sqfs.c:1521: undefined reference to `__udivmoddi4'

Signed-off-by: Sean Nyekjaer <sean.nyekjaer.ext@siemensgamesa.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Pali Rohár <pali@kernel.org>
bootstd: sandbox: Add a hostfs bootdev 2022-04-25T14:00:04+00:00 Simon Glass sjg@chromium.org 2022-04-25T05:31:21+00:00 7d0478d241703b50e88736f3774deb5472418b58 It is helpful to be able to try out bootstd on sandbox, using host files. This is easier than using a block device, which must have a filesystem, partition table, etc. Add a new driver which provides this feature. For now it is not used in tests, but it is likely to be useful. Add notes in the devicetree also, but don't disturb the tests. Signed-off-by: Simon Glass <sjg@chromium.org> 
It is helpful to be able to try out bootstd on sandbox, using host files.
This is easier than using a block device, which must have a filesystem,
partition table, etc.

Add a new driver which provides this feature. For now it is not used in
tests, but it is likely to be useful.

Add notes in the devicetree also, but don't disturb the tests.

Signed-off-by: Simon Glass <sjg@chromium.org>
fs: Add a function to set the filesystem type 2022-04-25T14:00:03+00:00 Simon Glass sjg@chromium.org 2022-04-25T05:31:04+00:00 c24e58f599085efa79a61cb62170b6b2164b8ce9 When sandbox is used with hostfs we won't have a block device, but still must set up the filesystem type before any filesystem operation, such as loading a file. Add a function to handle this. Signed-off-by: Simon Glass <sjg@chromium.org> 
When sandbox is used with hostfs we won't have a block device, but still
must set up the filesystem type before any filesystem operation, such as
loading a file. Add a function to handle this.

Signed-off-by: Simon Glass <sjg@chromium.org>
fs: ext4: Use CRC-16 implementation from linux/crc16.h 2022-04-21T18:32:40+00:00 Pali Rohár pali@kernel.org 2022-04-12T09:20:43+00:00 4f0e77f8f098753bd9835d5a31c435aaab79dd86 Implementation in linux/crc16.h provides standard CRC-16 algorithm with polynomial x^16 + x^15 + x^2 + 1. Use it and remove duplicate ext4 CRC-16 specific code. Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> 
Implementation in linux/crc16.h provides standard CRC-16 algorithm with
polynomial x^16 + x^15 + x^2 + 1. Use it and remove duplicate ext4 CRC-16
specific code.

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
crc16: Move standard CRC-16 implementation from ubifs to lib 2022-04-21T18:32:40+00:00 Pali Rohár pali@kernel.org 2022-04-12T09:20:42+00:00 1a47e6d47c7184b116bb58e8451dc0d4f141a609 This implementation provides standard CRC-16 algorithm with polynomial x^16 + x^15 + x^2 + 1. Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> 
This implementation provides standard CRC-16 algorithm with polynomial
x^16 + x^15 + x^2 + 1.

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
crc16: Rename fs/ubifs/crc16.h to include/linux/crc16.h 2022-04-21T18:32:40+00:00 Pali Rohár pali@kernel.org 2022-04-12T09:20:41+00:00 e523f5d181ce66a36b5f9476b86be2fa03284a45 File fs/ubifs/crc16.h is standard linux's crc16.h include file. So move it from fs/ubifs to include/linux where are also other linux include files. Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> 
File fs/ubifs/crc16.h is standard linux's crc16.h include file. So move it
from fs/ubifs to include/linux where are also other linux include files.

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>