These are some fixes for memory corruptions that can occur on corrupted or manipulated filesystems. In case you use one of the affected filesystems in a secure boot chain you should apply these patches. Normally you shouldn't use a barebox filesystem in a secure boot chain, but instead use FIT images on a raw partition. We never made this explicit though. Ahmad has done this recently: https://lore.kernel.org/barebox/20250217180949.3961860-3-a.fatoum@xxxxxxxxxxxxxx/T/#u I digged through the U-Boot code and there are a few CVE fixes in the ext4 code that we'll likely need as well. But even with these applied we don't consider the barebox filesystems as suitable for secure boot. For those curious we consider adding support for dm-verity at some point. This would allow us to remove the attack surface from the filesystem implementations and we could also use bootspec rather than signed FIT images. Sascha Sascha Hauer (5): CVE-2025-26722: fs: squashfs: Ensure positive inode length CVE-2025-26724: fs: cramfs: fix malloc(size + constant) buffer overflow issues CVE-2025-26723: fs: ext4: fix malloc(size + constant) buffer overflow issues CVE-2025-26725: fs: jffs2: fix malloc(size + constant) buffer overflow issues CVE-2025-26721: fs: pstore: fix malloc(size + constant) buffer overflow issues fs/cramfs/cramfs.c | 2 +- fs/ext4/ext_barebox.c | 2 +- fs/jffs2/malloc.c | 4 ++-- fs/jffs2/nodelist.h | 2 +- fs/jffs2/readinode.c | 2 +- fs/pstore/fs.c | 2 +- fs/squashfs/symlink.c | 8 ++++++-- 7 files changed, 13 insertions(+), 9 deletions(-) -- 2.39.5
