Commit graph

43 commits

Author SHA1 Message Date
Tom Rini
52af0101be Merge branch 'master' into next
Merge in v2022.07-rc5.
2022-06-20 14:40:59 -04:00
Miquel Raynal
2ac0baab4a fs/squashfs: sqfs_read: Prevent arbitrary code execution
Following Jincheng's report, an out-of-band write leading to arbitrary
code execution is possible because on one side the squashfs logic
accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
accepts directory names up to 255 bytes long.

Prevent such an exploit from happening by capping directory name sizes
to 255. Use a define for this purpose so that developers can link the
limitation to its source and eventually kill it some day by dynamically
allocating this array (if ever desired).

Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
2022-06-16 15:22:55 -04:00
Heinrich Schuchardt
84378d5c86 fs/squashfs: fix sqfs_read_sblk()
Setting sblk = NULL has no effect on the caller.
We want to set *sblk = NULL if an error occurrs to avoid usage after free.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-06-06 17:47:17 -04:00
Pali Rohár
9320db0926 squashfs: Fix compilation on big endian systems
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
2022-06-03 11:15:24 -04:00
Sean Nyekjaer
92080c6ef6 fs/squashfs: use lldiv function for math
When compling for x86:
ld.bfd: fs/squashfs/sqfs.o: in function `sqfs_read':
u-boot/fs/squashfs/sqfs.c:1443: undefined reference to `__udivmoddi4'
ld.bfd: u-boot/fs/squashfs/sqfs.c:1521: undefined reference to `__udivmoddi4'

Signed-off-by: Sean Nyekjaer <sean.nyekjaer.ext@siemensgamesa.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Pali Rohár <pali@kernel.org>
2022-05-23 09:33:10 -04:00
Heinrich Schuchardt
9bd89bbd71 fs/squashfs: simplify sqfs_read()
* Don't check argument of free(). Free does this itself.
* Reduce scope of data_buffer. Remove duplicate free().
* Avoid superfluous NULL assignment.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
2022-04-19 14:51:11 -04:00
Lars Weber
1e69db57e6 squashfs: show an error message if the inode_table can't be, allocated
Signed-off-by: Lars Weber <weber@weber-software.com>
2022-01-29 07:46:46 -05:00
Simon Glass
ad6ddc57ee sqfs: Suppress the message about missing filesystem
This message comes up a lot when scanning filesystems. It suggests to the
user that there is some sort of error, but in fact there is no reason to
expect that a particular partition has a sqfs filesystem. Other
filesystems don't print this error.

Turn it into a debug message.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
2021-09-16 13:19:25 -04:00
Joao Marcos Costa
0008d80866 fs/squashfs: fix reading of fragmented files
The fragmented files were not correctly read because of two issues:

- The squashfs_file_info struct has a field named 'comp', which tells if
the file's fragment is compressed or not. This field was always set to
'true' in sqfs_get_regfile_info and sqfs_get_lregfile_info. It should
actually take sqfs_frag_lookup's return value. This patch addresses
these two assignments.

- In sqfs_read, the fragments (compressed or not) were copied to the
output buffer through a for loop which was reading data at the wrong
offset. Replace these loops by equivalent calls to memcpy, with the
right parameters.

I tested this patch by comparing the MD5 checksum of a few fragmented
files with the respective md5sum output in sandbox, considering both
compressed and uncompressed fragments.

Signed-off-by: Joao Marcos Costa <jmcosta944@gmail.com>
Tested-by: Richard Genoud <richard.genoud@posteo.net>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
2021-06-09 20:58:20 -04:00
Heinrich Schuchardt
53ba2c21c2 fs/squashfs: zero out unused fields in fs_dirent
When reading directories the UEFI sub-system must supply file attributes
and timestamps. These fields will have to be added to struct fs_dirent.
SquashFS should not fill these fields with random data. Ensure that they
are zeroed out.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
2021-05-26 17:26:07 -04:00
Heinrich Schuchardt
220fa478fb fs/squashfs: NULL dereference in sqfs_closedir()
sqfs_opendir() called in sqfs_size(), sqfs_read(), sqfs_exists() may fail
leading to sqfs_closedir(NULL) being called. Do not dereference NULL.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-02-24 16:51:48 -05:00
Campbell Suter
9dba07f143 Fix squashfs failing to load sparse files
SquashFS supports sprase blocks in files - that is, if a given block is
composed only of zeros, it's not written to the output file to save
space and it's on-disk length field is set to zero to indicate that.

Previously the squashfs driver did not recognise that, and would attempt
to read and decompress a zero-sized block, which obviously failed.

The following command may be used to create a file for testing:

cat <(dd if=/dev/urandom of=/dev/stdout bs=1M count=1) \
	<(dd if=/dev/zero of=/dev/stdout bs=1M count=1) \
	<(dd if=/dev/urandom of=/dev/stdout bs=1k count=200) >test_file

Signed-off-by: Campbell Suter <campbell@snapit.group>
2021-01-20 14:01:44 -05:00
Richard Genoud
7e932ac790 fs/squashfs: sqfs_close/sqfs_read_sblk: set ctxt.sblk to NULL after free
This will prevent a double free error if sqfs_close() is called twice.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-12-02 16:21:58 -05:00
Richard Genoud
dd4866b437 fs/squashfs: implement exists() function
This permits to find a file and use the distro_bootcmd

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
21b1b3bad5 fs/squashfs: sqfs_read: remove buggy offset functionality
offset is the offset in the file read, not the offset in the destination
buffer.
If the offset is not null, this will lead to a memory corruption.
So, for now, we are returning an error if the offset is used.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
cbd5e40ede fs/squashfs: sqfs_read: don't write beyond buffer size
The length of the buffer wasn't taken into account when writing to the
given buffer.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
6d25bd3e9c fs/squashfs: sqfs_probe: use sqfs_decompressor_init() return value
sqfs_decompressor_init() returns a value, so it's better to use it than
to force the return value to EINVAL (it could be ENOMEM)

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
56cf1ceee3 fs/squashfs: sqfs_probe: reset cur_dev/cur_part_info to NULL on error
Resetting the context on error will prevent some checks like:
if (!ctx.cur_dev)
To pass when the probe method has failed

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
ccd4c08a45 fs/squashfs: sqfs_probe: fix possible memory leak on error
If SquashFS magic number is invalid, there's a memory leak.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
571b67ee1d fs/squashfs: sqfs_read: fix memory leak on finfo.blk_sizes
finfo.blk_sizes may not be freed in case of error in the for loop
Setting it to null and freeing it at the end makes prevents that from
happening.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
33686804d2 fs/squashfs: sqfs_get_abs_path: fix possible memory leak on error
if  sqfs_tokenize(rel_tokens, rc, rel); fails, the function exits
without freeing the array base_tokens.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
53db0e24a8 fs/squashfs: sqfs_get_abs_path: fix error check
the return value of sqfs_tokenize(rel_tokens, rc, rel); wasn't checked.
(but "ret" value was !)
This is obviouly a typo.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
c9b8e86f8b fs/squashfs: sqfs_frag_lookup: simplify error handling
For consistency with other functions.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
555459e793 fs/squashfs: sqfs_read: fix another memory leak
data_buffer was allocated in a loop and freed only once.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
7ce9745cbe fs/squashfs: sqfs_read: fix memory leak
sqfs_closedir() should be called to free memory allocated by
sqfs_opendir()

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
b34949fe9b fs/squashfs: sqfs_read: remove useless sqfs_closedir()
as sqfs_opendir failed, there's no need to call sqfs_closedir

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
d1d8d75f69 fs/squashfs: sqfs_read: fix dangling pointer dirs->entry
dirs->entry shouldn't be left dangling as it could be freed twice.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
35475f83a1 fs/squashfs: sqfs_size: remove useless sqfs_closedir()
as sqfs_opendir failed, there's no need to call sqfs_closedir

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
508a9dc7f6 fs/squashfs: sqfs_size: fix dangling pointer dirs->entry
dirs->entry shouldn't be left dangling as it could be freed twice.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
dc3312c43c fs/squashfs: sqfs_concat_tokens: check if malloc succeeds
memory allocation should always be checked

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
4c83d27557 fs/squashfs: sqfs_read_inode_table: fix dangling pointer
inode_table should not be left dangling as it may be freed in sqfs_opendir

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
cd54591afd fs/squashfs: sqfs_search_dir: fix memory leaks
path, target, res, rem and sym_tokens were not free on error nor success.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
01e71ec61a fs/squashfs: sqfs_search_dir: fix dangling pointer
dirs->entry shouldn't be left dangling as it could be freed twice.

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
7d23b2c5fb fs/squashfs: sqfs_read_directory_table: fix memory leak
pos_list wasn't freed on every error

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
5487477802 fs/squashfs: sqfs_split_path: fix memory leak and dangling pointers
*file and *dir were not freed on error

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
87d11e08e4 fs/squashfs: sqfs_closedir: fix memory leak
sqfs_dirs wasn't freed anywhere.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
ea1b1651c6 fs/squashfs: sqfs_opendir: simplify error handling
Using only one label permits to prevents bugs when moving code around.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Richard Genoud
f268768d43 fs/squashfs: sqfs_opendir: fix some memory leaks and dangling pointers
When trying to load an non-existing file, the cpu hangs!

Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
2020-11-19 09:45:49 -05:00
Joao Marcos Costa
a7dc37d38c fs/squashfs: Fix Coverity Scan defects
Fix control flow issues and null pointer dereferences.

Signed-off-by: Joao Marcos Costa <jmcosta944@gmail.com>
2020-09-18 16:19:58 -04:00
Joao Marcos Costa
c9875a5fe8 fs/squashfs: Fix Coverity Scan defects
Fix defects such as uninitialized variables and untrusted pointer
operations. Most part of the tainted variables and the related defects
actually comes from Linux's macro get_unaligned_le**, extensively used
in SquashFS code. Add sanity checks for those variables.

Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
2020-08-24 14:11:31 -04:00
Joao Marcos Costa
cdc114415c fs/squashfs: replace sqfs_decompress() parameter
Replace 'u16 comp_type' by a reference to squashfs_ctxt structure.

Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
2020-08-24 14:11:31 -04:00
Joao Marcos Costa
10f7cf5f12 fs/squashfs: Add init and clean-up functions to decompression
Add sqfs_decompressor_init() and sqfs_decompressor_cleanup(). These
functions are called respectively in sqfs_probe() and sqfs_close(). For
now, only ZSTD requires an initialization logic. ZSTD support will be
added in a follow-up commit.

Move squashfs_ctxt definition to sqfs_filesystem.h. This structure is
passed to sqfs_decompressor_init() and sqfs_decompressor_cleanup(), so
it can no longer be local to sqfs.c.

Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
2020-08-24 14:11:31 -04:00
Joao Marcos Costa
c510061303 fs/squashfs: new filesystem
Add support for SquashFS filesystem. Right now, it does not support
compression but support for zlib will be added in a follow-up commit.

Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
2020-08-07 22:31:32 -04:00