Re: [PATCH v2] fs/squashfs: sqfs_read: Prevent arbitrary code execution

It works well. Tested-by: Jincheng Wang Miquel Raynal 于2022年6月9日周四 22:02写道： > Following Jincheng's report, an out-of-band write leading to arbitrary > code execution is possible because on one side the squashfs logic > accepts directory names up to 65535 bytes (u16), while U-Boot

Re: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution

superblock end 69632 is larger than device size 4096 1 file(s), 0 dir(s) ``` Tom Rini 于2022年6月7日周二 21:43写道： > On Tue, Jun 07, 2022 at 06:00:38PM +0800, Jincheng Wang wrote: > > > It works well, thanks for your work. > > Can you please provide a Tested-by? Thanks! > >

Re: [PATCH] fs/squashfs: sqfs_read: Prevent arbitrary code execution

allocating this array (if ever desired). > > Link: > https://lore.kernel.org/all/CALO=dhfb+yboxxvr5kcsk0ifdg+e7ywko4-e+72kjbcs8jb...@mail.gmail.com > Reported-by: Jincheng Wang > Signed-off-by: Miquel Raynal > --- > > Hello Jincheng, can you please give this fix a

Out of bounds write vulnerability in the sqfs_readdir() function

Hello u-boot list, I found the sqfs_readdir() function is vulnerable to Out-of-Bound write, which will cause arbitrary code execution. ``` int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp) { .. /* Set entry name */ strncpy(dent->name, dirs->entry->name,

Fwd: [PATCH1/1]sqfs: sqfs_tokenize() should fill the tokens list instead of free items

-- Forwarded message - 发件人： Jincheng Wang Date: 2021年10月31日周日 下午6:23 Subject: Re: [PATCH1/1]sqfs: sqfs_tokenize() should fill the tokens list instead of free items To: Miquel Raynal Hello, Apologize for a late reply ,and I made a mistake in wirting mail. Here is the email

[PATCH1/1]sqfs: sqfs_tokenize() should fill the tokens list instead of free items

We can delete two lines of code to avoid double free bug, but still a wild pointers bug. A test for wild pointers: sqfsls host 0 1//2/3//4/5 Fill the tokens list can solve it well. Signed-off-by: Jincheng Wang --- fs/squashfs/sqfs.c | 5 +++-- 1 file changed, 3 insertions(+), 2

Re: Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")

Yes, I will submit a patch to fix the bug. Regards, Jincheng Tom Rini 于2021年10月15日周五 上午1:46写道： > On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote: > > > Hello U-Boot lists! > > I had been doing a fuzz testing in U-Boot . > > There is a double free bug in

Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")

Hello U-Boot lists! I had been doing a fuzz testing in U-Boot . There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the function sqfs_tokenize( ). On the line 307, tokens[i] is being freed and the ret is being set -ENOMEM, it will go to the out: label and free tokens[i] again (just