Hello Richard, On 16.07.24 17:49, Richard Weinberger wrote: > Hi! > > While inspecting the squashfs implementation of Barebox I noticed > some issues and was able trigger heap corruptions using crafted filesystems. Thanks for sharing your results. By the way I had started a libfuzzer integration for barebox a while back that I just pushed here: https://github.com/a3f/barebox/tree/libfuzzer It still needs some love to make it upstream, but it's already usable and can find issues, but it still suffers from depleting memory after a while. I need to fix those memory leaks and clean it up when I find the time, so we can start more heavily fuzzing a base set of functionality that's needed for secure boot (mainly partition tables, file type detection and FIT image parser). > e.g. [snip] > While implementing fixes for them I realized that these are all known > and fixed in Linux. > > I suggest backporting at least these Linux fixes for squashfs: > > 01cfb7937a9af ("squashfs: be more careful about metadata corruption") > d512584780d3e ("squashfs: more metadata hardening") > cdbb65c4c7ead ("squashfs metadata 2: electric boogaloo") > 71755ee5350b6 ("squashfs: more metadata hardening") > a3f94cb99a854 ("Squashfs: Compute expected length from inode size rather than block length") Backported in https://lore.barebox.org/barebox/20240717063328.2810835-1-a.fatoum@xxxxxxxxxxxxxx/ Cheers, Ahmad > > Thanks, > //richard > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
