From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001 From: Richard Weinberger Date: Fri, 2 Aug 2024 22:05:09 +0200 Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir() res needs to be large enough to store both strings rem and target, plus the path separator and the terminator. Currently the space for the path separator is not accounted, so the heap is corrupted by one byte. Signed-off-by: Richard Weinberger Reviewed-by: Miquel Raynal CVE: CVE-2024-57259 Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e] Signed-off-by: Hongxu Jia --- fs/squashfs/sqfs.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index a5b7890e..1bd9b2a4 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list, ret = -ENOMEM; goto out; } - /* Concatenate remaining tokens and symlink's target */ - res = malloc(strlen(rem) + strlen(target) + 1); + /* + * Concatenate remaining tokens and symlink's target. + * Allocate enough space for rem, target, '/' and '\0'. + */ + res = malloc(strlen(rem) + strlen(target) + 2); if (!res) { ret = -ENOMEM; goto out; -- 2.34.1