From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Cc: Jonathan Bar Or <jonathanbaror@gmail.com>
Subject: [PATCH 0/5] Filesystem memory corruption fixes
Date: Wed, 19 Feb 2025 15:18:39 +0100 [thread overview]
Message-ID: <20250219141844.1912413-1-s.hauer@pengutronix.de> (raw)
These are some fixes for memory corruptions that can occur on corrupted
or manipulated filesystems.
In case you use one of the affected filesystems in a secure boot chain
you should apply these patches.
Normally you shouldn't use a barebox filesystem in a secure boot chain,
but instead use FIT images on a raw partition. We never made this explicit
though. Ahmad has done this recently:
https://lore.kernel.org/barebox/20250217180949.3961860-3-a.fatoum@pengutronix.de/T/#u
I digged through the U-Boot code and there are a few CVE fixes in the
ext4 code that we'll likely need as well. But even with these applied
we don't consider the barebox filesystems as suitable for secure boot.
For those curious we consider adding support for dm-verity at some
point. This would allow us to remove the attack surface from the
filesystem implementations and we could also use bootspec rather than
signed FIT images.
Sascha
Sascha Hauer (5):
CVE-2025-26722: fs: squashfs: Ensure positive inode length
CVE-2025-26724: fs: cramfs: fix malloc(size + constant) buffer
overflow issues
CVE-2025-26723: fs: ext4: fix malloc(size + constant) buffer overflow
issues
CVE-2025-26725: fs: jffs2: fix malloc(size + constant) buffer overflow
issues
CVE-2025-26721: fs: pstore: fix malloc(size + constant) buffer
overflow issues
fs/cramfs/cramfs.c | 2 +-
fs/ext4/ext_barebox.c | 2 +-
fs/jffs2/malloc.c | 4 ++--
fs/jffs2/nodelist.h | 2 +-
fs/jffs2/readinode.c | 2 +-
fs/pstore/fs.c | 2 +-
fs/squashfs/symlink.c | 8 ++++++--
7 files changed, 13 insertions(+), 9 deletions(-)
--
2.39.5
next reply other threads:[~2025-02-19 15:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-19 14:18 Sascha Hauer [this message]
2025-02-19 14:18 ` [PATCH 1/5] CVE-2025-26722: fs: squashfs: Ensure positive inode length Sascha Hauer
2025-02-19 16:49 ` Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 2/5] CVE-2025-26724: fs: cramfs: fix malloc(size + constant) buffer overflow issues Sascha Hauer
2025-02-19 16:50 ` Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 3/5] CVE-2025-26723: fs: ext4: " Sascha Hauer
2025-02-19 16:51 ` Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 4/5] CVE-2025-26725: fs: jffs2: " Sascha Hauer
2025-02-19 16:54 ` Ahmad Fatoum
2025-02-19 14:18 ` [PATCH 5/5] CVE-2025-26721: fs: pstore: " Sascha Hauer
2025-02-19 16:54 ` Ahmad Fatoum
2025-02-19 16:47 ` [PATCH 0/5] Filesystem memory corruption fixes Ahmad Fatoum
2025-02-21 7:33 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250219141844.1912413-1-s.hauer@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=jonathanbaror@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox