Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:u-boot User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] The CVEs CVE-2024-57254 to CVE-2024-57259 have been fixed in Sid, stable, LTS, and ELTS. They have not yet been fixed in Bookworm. This upload intends to close this gap. [ Impact ] If the update is not approved, users of Debian Bookworm stay vulnerable to the mentioned CVEs. Users updating to Bookworm become vulnerable. [ Tests ] The package doesn't come with the upstream test-suite enabled. The patches have therefore been tested manually on systems using u-boot. No problems have been reported. The fixes have also been published for users of LTS, ELTS, Sid and stable for some time without any report of a regression either. The patches are quite small as well. [ Risks ] The largest risk is the possibility of regressions or breakages. See above for tests to catch and mitigate these risks. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] CVE-2024-57254, CVE-2024-57255, and CVE-2024-57256 are mitiated by using a built-in to detect overflows. CVE-2024-57257 is mitigated by limiting the nested level to 8. CVE-2024-57258 is fixed by removing a superflous cast, moving a size check into an earlier location, and changing a type to long. CVE-2024-57259 is fixed by calculating the correct target size. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmjcd6UACgkQS80FZ8KW 0F0E1RAAvmBkyoTtU+pbViK8xJrBsaGCc72+63JP/NfJDeDnb1wZsK+SGY+FFuJG ZhPT7F6syVsuM0wQaKp1yiFi3nsfCmHezObBmWpAm3XWZXXFhklANaTUahzacL/b wfHVgFskkA+LVSD/QRaqlhodv3KsZEDCP+6eMzuZFA3GjIl2pD3vFPbPxsnP9bYP dNQM9cm6fa6+Jks0CkEYgecPApOudlkpmbh7X7BcVs3eyaXU0glpdmukzqNtGNp8 hOD1nJ8lCtHySU3jLFZaiz6SFc3eo/RIHU36ljRjNxY5O1lVmMrchjQyj5c5CeT+ eX/6uVVpmvXZf/bRsG61o8M8gvTJtMUsEBBoBbqxfouEKENf2V0KLIotArQSODNg EoqHgKnm4iehzxVHNfIkeNB99OY4F3+IJ9TbxrT5s8/IHXHEn2NsD5HHmLkNqyEd VJ3oyZmgXKqf6a+Y1uC81MxTFh+IE+BGP7jh7nW8VfxesXMu+hqBNH2Iz3ya7UUP F+/VWamRv6LXFwOITNQ3vK8LTgmAlU2A+cunHS8kY2qo2Tx4ev3EzaFIQAM6+pzl GaNCgxRhPzgy26zs/0SgY4QdixZX33A5DLYUSiFKkKglgGYDo4RMGVufzlszdtot IHAFWEcFPQ1r3KUZNcaEhLoel7zOP0pmB0hJfOaCN9eCqkjY9c0= =VPQz -----END PGP SIGNATURE-----
diff -Nru u-boot-2023.01+dfsg/debian/changelog u-boot-2023.01+dfsg/debian/changelog --- u-boot-2023.01+dfsg/debian/changelog 2024-04-19 00:00:21.000000000 +0200 +++ u-boot-2023.01+dfsg/debian/changelog 2025-10-01 02:06:28.000000000 +0200 @@ -1,3 +1,24 @@ +u-boot (2023.01+dfsg-2+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload by the Debian LTS team. + * d/patches/CVE-2024-57254.patch: Add patch to fix CVE-2024-57254. + - Fix an integer overflow in sqfs_inode_size (closes: 1098254). + * d/patches/CVE-2024-57255.patch: Add patch to fix CVE-2024-57255. + - Fix an integer overflow in sqfs_resolve_symlink (closes: #1098254). + * d/patches/CVE-2024-57256.patch: Add patch to fix CVE-2024-57256. + - Fix an integer overflow in ext4fs_read_symlink (closes: #1098254). + * d/patches/CVE-2024-57257.patch: Add patch to fix CVE-2024-57257. + - Fix a stack consumption issue in sqfs_size possible with deep symlink + nesting (closes: #1098254). + * d/patches/CVE-2024-57258-1.patch, d/patches/CVE-2024-57258-2.patch, + d/patches/CVE-2024-57258-3.patch: Add patches to fx CVE-2024-57258. + - Fix multiple integer overflows (closes: #1098254). + * d/patches/CVE-2024-57259.patch: Add patch to fix CVE-2024-57259. + - Fix an off-by-one error resulting in a heap memory corruption in + sqfs_search_dir (closes: #1098254). + + -- Daniel Leidert <[email protected]> Wed, 01 Oct 2025 02:06:28 +0200 + u-boot (2023.01+dfsg-2+deb12u1) bookworm; urgency=medium * debian/patches: Apply fix from upstream for orion-timer, affecting diff -Nru u-boot-2023.01+dfsg/debian/gbp.conf u-boot-2023.01+dfsg/debian/gbp.conf --- u-boot-2023.01+dfsg/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/gbp.conf 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,4 @@ +[DEFAULT] +debian-branch = debian/bookworm +upstream-branch = upstream/bookworm +pristine-tar = true diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,46 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 18:36:45 +0200 +Subject: squashfs: Fix integer overflow in sqfs_inode_size() + +A carefully crafted squashfs filesystem can exhibit an extremly large +inode size and overflow the calculation in sqfs_inode_size(). +As a consequence, the squashfs driver will read from wrong locations. + +Fix by using __builtin_add_overflow() to detect the overflow. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Miquel Raynal <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57254 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57254 +--- + fs/squashfs/sqfs_inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c +index d25cfb5..bb3ccd3 100644 +--- a/fs/squashfs/sqfs_inode.c ++++ b/fs/squashfs/sqfs_inode.c +@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size) + + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: { ++ int size; ++ + struct squashfs_symlink_inode *symlink = + (struct squashfs_symlink_inode *)inode; + +- return sizeof(*symlink) + +- get_unaligned_le32(&symlink->symlink_size); ++ if (__builtin_add_overflow(sizeof(*symlink), ++ get_unaligned_le32(&symlink->symlink_size), &size)) ++ return -EINVAL; ++ ++ return size; + } + + case SQFS_BLKDEV_TYPE: diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,52 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 18:36:44 +0200 +Subject: squashfs: Fix integer overflow in sqfs_resolve_symlink() + +A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff, +as a consequence malloc() will do a zero allocation. +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Miquel Raynal <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356 +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57255 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57255 +--- + fs/squashfs/sqfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 74ca70c..3c68d96 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -416,8 +416,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + char *resolved, *target; + u32 sz; + +- sz = get_unaligned_le32(&sym->symlink_size); +- target = malloc(sz + 1); ++ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz)) ++ return NULL; ++ ++ target = malloc(sz); + if (!target) + return NULL; + +@@ -425,9 +427,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym, + * There is no trailling null byte in the symlink's target path, so a + * copy is made and a '\0' is added at its end. + */ +- target[sz] = '\0'; ++ target[sz - 1] = '\0'; + /* Get target name (relative path) */ +- strncpy(target, sym->symlink, sz); ++ strncpy(target, sym->symlink, sz - 1); + + /* Relative -> absolute path conversion */ + resolved = sqfs_get_abs_path(base_path, target); diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,50 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 9 Aug 2024 11:54:28 +0200 +Subject: ext4: Fix integer overflow in ext4fs_read_symlink() + +While zalloc() takes a size_t type, adding 1 to the le32 variable +will overflow. +A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff +and as consequence zalloc() will do a zero allocation. + +Later in the function the inode size is again used for copying data. +So an attacker can overwrite memory. + +Avoid the overflow by using the __builtin_add_overflow() helper. + +Signed-off-by: Richard Weinberger <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9 +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57256 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57256 +--- + fs/ext4/ext4_common.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c +index 1185cb2..e940d39 100644 +--- a/fs/ext4/ext4_common.c ++++ b/fs/ext4/ext4_common.c +@@ -2183,13 +2183,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node) + struct ext2fs_node *diro = node; + int status; + loff_t actread; ++ size_t alloc_size; + + if (!diro->inode_read) { + status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode); + if (status == 0) + return NULL; + } +- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1); ++ ++ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size)) ++ return NULL; ++ ++ symlink = zalloc(alloc_size); + if (!symlink) + return NULL; + diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,226 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 18:36:47 +0200 +Subject: squashfs: Fix stack overflow while symlink resolving + +The squashfs driver blindly follows symlinks, and calls sqfs_size() +recursively. So an attacker can create a crafted filesystem and with +a deep enough nesting level a stack overflow can be achieved. + +Fix by limiting the nesting level to 8. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Miquel Raynal <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34 +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57257 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57257 +--- + fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 61 insertions(+), 15 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 3c68d96..5983284 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -24,7 +24,12 @@ + #include "sqfs_filesystem.h" + #include "sqfs_utils.h" + ++#define MAX_SYMLINK_NEST 8 ++ + static struct squashfs_ctxt ctxt; ++static int symlinknest; ++ ++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp); + + static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf) + { +@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + goto out; + } + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, token_list[j]); + if (!ret) + break; +@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + + /* Check for symbolic link and inode type sanity */ + if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) { ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ ret = -ELOOP; ++ goto out; ++ } ++ + sym = (struct squashfs_symlink_inode *)table; + /* Get first j + 1 tokens */ + path = sqfs_concat_tokens(token_list, j + 1); +@@ -874,7 +884,7 @@ out: + return metablks_count; + } + +-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp) ++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp) + { + unsigned char *inode_table = NULL, *dir_table = NULL; + int j, token_count = 0, ret = 0, metablks_count; +@@ -969,7 +979,19 @@ out: + return ret; + } + ++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp) ++{ ++ symlinknest = 0; ++ return sqfs_opendir_nest(filename, dirsp); ++} ++ + int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) ++{ ++ symlinknest = 0; ++ return sqfs_readdir_nest(fs_dirs, dentp); ++} ++ ++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) + { + struct squashfs_super_block *sblk = ctxt.sblk; + struct squashfs_dir_stream *dirs; +@@ -1313,8 +1335,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg, + return datablk_count; + } + +-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, +- loff_t *actread) ++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset, ++ loff_t len, loff_t *actread) + { + char *dir = NULL, *fragment_block, *datablock = NULL; + char *fragment = NULL, *file = NULL, *resolved, *data; +@@ -1344,11 +1366,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + } + + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ + sqfs_split_path(&file, &dir, filename); +- ret = sqfs_opendir(dir, &dirsp); ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + goto out; + } +@@ -1356,7 +1378,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + dirs = (struct squashfs_dir_stream *)dirsp; + + /* For now, only regular files are able to be loaded */ +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1405,9 +1427,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, + break; + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ ret = -ELOOP; ++ goto out; ++ } ++ + symlink = (struct squashfs_symlink_inode *)ipos; + resolved = sqfs_resolve_symlink(symlink, filename); +- ret = sqfs_read(resolved, buf, offset, len, actread); ++ ret = sqfs_read_nest(resolved, buf, offset, len, actread); + free(resolved); + goto out; + case SQFS_BLKDEV_TYPE: +@@ -1578,7 +1605,14 @@ out: + return ret; + } + +-int sqfs_size(const char *filename, loff_t *size) ++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len, ++ loff_t *actread) ++{ ++ symlinknest = 0; ++ return sqfs_read_nest(filename, buf, offset, len, actread); ++} ++ ++static int sqfs_size_nest(const char *filename, loff_t *size) + { + struct squashfs_super_block *sblk = ctxt.sblk; + struct squashfs_symlink_inode *symlink; +@@ -1594,10 +1628,10 @@ int sqfs_size(const char *filename, loff_t *size) + + sqfs_split_path(&file, &dir, filename); + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ +- ret = sqfs_opendir(dir, &dirsp); ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + ret = -EINVAL; + goto free_strings; +@@ -1605,7 +1639,7 @@ int sqfs_size(const char *filename, loff_t *size) + + dirs = (struct squashfs_dir_stream *)dirsp; + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1638,6 +1672,11 @@ int sqfs_size(const char *filename, loff_t *size) + break; + case SQFS_SYMLINK_TYPE: + case SQFS_LSYMLINK_TYPE: ++ if (++symlinknest == MAX_SYMLINK_NEST) { ++ *size = 0; ++ return -ELOOP; ++ } ++ + symlink = (struct squashfs_symlink_inode *)ipos; + resolved = sqfs_resolve_symlink(symlink, filename); + ret = sqfs_size(resolved, size); +@@ -1677,10 +1716,11 @@ int sqfs_exists(const char *filename) + + sqfs_split_path(&file, &dir, filename); + /* +- * sqfs_opendir will uncompress inode and directory tables, and will ++ * sqfs_opendir_nest will uncompress inode and directory tables, and will + * return a pointer to the directory that contains the requested file. + */ +- ret = sqfs_opendir(dir, &dirsp); ++ symlinknest = 0; ++ ret = sqfs_opendir_nest(dir, &dirsp); + if (ret) { + ret = -EINVAL; + goto free_strings; +@@ -1688,7 +1728,7 @@ int sqfs_exists(const char *filename) + + dirs = (struct squashfs_dir_stream *)dirsp; + +- while (!sqfs_readdir(dirsp, &dent)) { ++ while (!sqfs_readdir_nest(dirsp, &dent)) { + ret = strcmp(dent->name, file); + if (!ret) + break; +@@ -1705,6 +1745,12 @@ free_strings: + return ret == 0; + } + ++int sqfs_size(const char *filename, loff_t *size) ++{ ++ symlinknest = 0; ++ return sqfs_size_nest(filename, size); ++} ++ + void sqfs_close(void) + { + sqfs_decompressor_cleanup(&ctxt); diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,46 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 12:08:45 +0200 +Subject: dlmalloc: Fix integer overflow in sbrk() + +Make sure that the new break is within mem_malloc_start +and mem_malloc_end before making progress. +ulong new = old + increment; can overflow for extremely large +increment values and memset() can get wrongly called. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Simon Glass <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3 +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258 +--- + common/dlmalloc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index 41c7230..ce4e56d 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -604,6 +604,9 @@ void *sbrk(ptrdiff_t increment) + ulong old = mem_malloc_brk; + ulong new = old + increment; + ++ if ((new < mem_malloc_start) || (new > mem_malloc_end)) ++ return (void *)MORECORE_FAILURE; ++ + /* + * if we are giving memory back make sure we clear it out since + * we set MORECORE_CLEARS to 1 +@@ -611,9 +614,6 @@ void *sbrk(ptrdiff_t increment) + if (increment < 0) + memset((void *)new, 0, -increment); + +- if ((new < mem_malloc_start) || (new > mem_malloc_end)) +- return (void *)MORECORE_FAILURE; +- + mem_malloc_brk = new; + + return (void *)old; diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,42 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 12:08:44 +0200 +Subject: dlmalloc: Fix integer overflow in request2size() + +req is of type size_t, casting it to long opens the door +for an integer overflow. +Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX +cause and overflow such that request2size() returns MINSIZE. + +Fix by removing the cast. +The origin of the cast is unclear, it's in u-boot and ppcboot since ever +and predates the CVS history. +Doug Lea's original dlmalloc implementation also doesn't have it. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Simon Glass <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258 +--- + common/dlmalloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/dlmalloc.c b/common/dlmalloc.c +index ce4e56d..6293500 100644 +--- a/common/dlmalloc.c ++++ b/common/dlmalloc.c +@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + /* pad request bytes into a usable size */ + + #define request2size(req) \ +- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ +- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ ++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ ++ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ + (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) + + /* Check if m has acceptable alignment */ diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,39 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 12:08:43 +0200 +Subject: x86: Fix ptrdiff_t for x86_64 + +sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap +by LONG_MIN/LONG_MAX. +So, use the long type, also to match the rest of the Linux ecosystem. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Simon Glass <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0 +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258 +--- + arch/x86/include/asm/posix_types.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h +index dbcea7f..e1ed9bc 100644 +--- a/arch/x86/include/asm/posix_types.h ++++ b/arch/x86/include/asm/posix_types.h +@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t; + #if defined(__x86_64__) + typedef unsigned long __kernel_size_t; + typedef long __kernel_ssize_t; ++typedef long __kernel_ptrdiff_t; + #else + typedef unsigned int __kernel_size_t; + typedef int __kernel_ssize_t; +-#endif + typedef int __kernel_ptrdiff_t; ++#endif + typedef long __kernel_time_t; + typedef long __kernel_suseconds_t; + typedef long __kernel_clock_t; diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch --- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch 1970-01-01 01:00:00.000000000 +0100 +++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch 2025-10-01 02:06:28.000000000 +0200 @@ -0,0 +1,40 @@ +From: Richard Weinberger <[email protected]> +Date: Fri, 2 Aug 2024 22:05:09 +0200 +Subject: squashfs: Fix heap corruption in sqfs_search_dir() + +res needs to be large enough to store both strings rem and target, +plus the path separator and the terminator. +Currently the space for the path separator is not accounted, so +the heap is corrupted by one byte. + +Signed-off-by: Richard Weinberger <[email protected]> +Reviewed-by: Miquel Raynal <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e +Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 +Bug-Debian: https://bugs.debian.org/1098254 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57259 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57259 +--- + fs/squashfs/sqfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c +index 5983284..218ff8d 100644 +--- a/fs/squashfs/sqfs.c ++++ b/fs/squashfs/sqfs.c +@@ -557,8 +557,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, + ret = -ENOMEM; + goto out; + } +- /* Concatenate remaining tokens and symlink's target */ +- res = malloc(strlen(rem) + strlen(target) + 1); ++ /* ++ * Concatenate remaining tokens and symlink's target. ++ * Allocate enough space for rem, target, '/' and '\0'. ++ */ ++ res = malloc(strlen(rem) + strlen(target) + 2); + if (!res) { + ret = -ENOMEM; + goto out; diff -Nru u-boot-2023.01+dfsg/debian/patches/series u-boot-2023.01+dfsg/debian/patches/series --- u-boot-2023.01+dfsg/debian/patches/series 2024-04-18 23:28:30.000000000 +0200 +++ u-boot-2023.01+dfsg/debian/patches/series 2025-10-01 02:06:28.000000000 +0200 @@ -1,25 +1,22 @@ mx53loco - arndale/board-spl-rule.diff - test-imagetools-test-fixes - exynos/0001-arm-config-fix-default-console-only-to-specify-the-d.patch - riscv64/unmatched-prevent-relocating-initrd-and-fdt.patch - disable-fit-image-tests - rockchip/rockchip-inno-usb.patch rockchip/rockchip-roc-pc-rk3399-Enable-rockchip-efuse-support.patch - qemu/efi-secure-boot.patch - fix-qemu-ppce500-with-binutils-2.38.patch Makefile-Use-relative-paths-for-debugging-symbols.patch - tools-disable-video-logo - riscv64/vbe-Allow-probing-the-VBE-bootmeth-to-fail-in-OS-fixup.patch - upstream/0001-timer-orion-timer-Fix-problem-in-early_init_done.patch +CVE-2024-57254.patch +CVE-2024-57255.patch +CVE-2024-57256.patch +CVE-2024-57257.patch +CVE-2024-57258-1.patch +CVE-2024-57258-2.patch +CVE-2024-57258-3.patch +CVE-2024-57259.patch
