From e744bf3a4ba442a0e9ee1c509c70e1452e3a15d0 Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Wed, 8 Jun 2022 14:30:14 -0400 Subject: odroid_xu3: Fix board environment variable When migrating CONFIG_CONS_INDEX to Kconfig, on this platform we changed what "board" evaluated to in the environment. This in turn meant that we would no longer try and find the correct fdtfile via the normal distro boot logic. Fix this by overriding board in the default environment, as done on other platforms where CONFIG_SYS_BOARD is not what we want to be in the board environment variable. Fixes: f76750d11133 ("Convert CONFIG_CONS_INDEX et al to Kconfig") Reported-by: Gabriel Hojda Tested-by: Gabriel Hojda Signed-off-by: Tom Rini --- include/configs/odroid_xu3.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/configs/odroid_xu3.h b/include/configs/odroid_xu3.h index eb35d7b4ae2..360815bc03e 100644 --- a/include/configs/odroid_xu3.h +++ b/include/configs/odroid_xu3.h @@ -86,6 +86,7 @@ "rootfstype=ext4\0" \ "console=console=ttySAC2,115200n8\0" \ "fdtfile=exynos5422-odroidxu3.dtb\0" \ + "board=odroid\0" \ "board_name=odroidxu3\0" \ "mmcbootdev=0\0" \ "mmcrootdev=0\0" \ -- cgit v1.2.3 From 2ac0baab4aff1a0b45067d0b62f00c15f4e86856 Mon Sep 17 00:00:00 2001 From: Miquel Raynal Date: Thu, 9 Jun 2022 16:02:06 +0200 Subject: fs/squashfs: sqfs_read: Prevent arbitrary code execution Following Jincheng's report, an out-of-band write leading to arbitrary code execution is possible because on one side the squashfs logic accepts directory names up to 65535 bytes (u16), while U-Boot fs logic accepts directory names up to 255 bytes long. Prevent such an exploit from happening by capping directory name sizes to 255. Use a define for this purpose so that developers can link the limitation to its source and eventually kill it some day by dynamically allocating this array (if ever desired). Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com Reported-by: Jincheng Wang Signed-off-by: Miquel Raynal Tested-by: Jincheng Wang --- include/fs.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/fs.h b/include/fs.h index b43f16a692f..2195dc172ec 100644 --- a/include/fs.h +++ b/include/fs.h @@ -174,6 +174,8 @@ int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len, #define FS_DT_REG 8 /* regular file */ #define FS_DT_LNK 10 /* symbolic link */ +#define FS_DIRENT_NAME_LEN 256 + /** * struct fs_dirent - directory entry * @@ -194,7 +196,7 @@ struct fs_dirent { /** change_time: time of last modification */ struct rtc_time change_time; /** name: file name */ - char name[256]; + char name[FS_DIRENT_NAME_LEN]; }; /* Note: fs_dir_stream should be treated as opaque to the user of fs layer */ -- cgit v1.2.3