Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2229279/?format=api
{ "id": 2229279, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229279/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/patch/20260428003100.123201-1-dllcoolj@archcloudlabs.com/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/1.1/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260428003100.123201-1-dllcoolj@archcloudlabs.com>", "date": "2026-04-28T00:31:00", "name": "adding check to prevent overflow in sqfs_find_inode", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "0eb724c566f6b4ba9a453f69ebf6bb0957ee161f", "submitter": { "id": 93259, "url": "http://patchwork.ozlabs.org/api/1.1/people/93259/?format=api", "name": "Jared Stroud", "email": "dllcoolj@archcloudlabs.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/uboot/patch/20260428003100.123201-1-dllcoolj@archcloudlabs.com/mbox/", "series": [ { "id": 501754, "url": "http://patchwork.ozlabs.org/api/1.1/series/501754/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=501754", "date": "2026-04-28T00:31:00", "name": "adding check to prevent overflow in sqfs_find_inode", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501754/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229279/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229279/checks/", "tags": {}, "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=archcloudlabs.com header.i=@archcloudlabs.com\n header.a=rsa-sha256 header.s=key1 header.b=AX9jK1MJ;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)", "phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=archcloudlabs.com", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=archcloudlabs.com header.i=@archcloudlabs.com\n header.b=\"AX9jK1MJ\";\n\tdkim-atps=neutral", "phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=archcloudlabs.com", "phobos.denx.de;\n spf=pass smtp.mailfrom=dllcoolj@archcloudlabs.com" ], "Received": [ "from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4QXX5b5fz1yHX\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 13:14:52 +1000 (AEST)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id A6478842A2;\n\tTue, 28 Apr 2026 05:14:50 +0200 (CEST)", "by phobos.denx.de (Postfix, from userid 109)\n id 809A48426C; Tue, 28 Apr 2026 05:14:49 +0200 (CEST)", "from out-172.mta1.migadu.com (out-172.mta1.migadu.com\n [95.215.58.172])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 675CB84258\n for <u-boot@lists.denx.de>; Tue, 28 Apr 2026 05:14:47 +0200 (CEST)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2", "X-Report-Abuse": "Please report any abuse attempt to abuse@migadu.com and\n include these headers.", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=archcloudlabs.com;\n s=key1; t=1777336307;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=gzWyTQ54ibAMIDGAOoDibXbskSUiC+tw4kNw87MOoCY=;\n b=AX9jK1MJJUSqyJPPxyk4Xd6gxWXs1HKRVlPt9ImT2x2opNs7PJf/leYmxSvRxXeiU7ybvc\n XcBjqvIhC6KmaLL781IFfuRv9sSEVkWsqN4MWnAnFCeZ19USyEHwji3IiL2K01hGdtP756\n 3sTr2pB6i/GhviZceNhjexn3DrADaGxAdn3g7YvQ3HKbpDMe1KuYdwzZnCZUs1w/LLTSzX\n hPSv34sRJ7BJ+2wyNE3dwMPZISXIM8fDMPE9NddfWVKPAThuG+6HASrF3e96GqzcbvYd7l\n 4n0QRCZ85D5U5+w9qyl/aDg/VjE4SXPjM7MCkH0uTuVfQ0ecNrmQOrExumrvLw==", "From": "Jared Stroud <dllcoolj@archcloudlabs.com>", "To": "u-boot@lists.denx.de", "Cc": "joaomarcos.costa@bootlin.com, richard.genoud@bootlin.com,\n thomas.petazzoni@bootlin.com, miquel.raynal@bootlin.com,\n trini@konsulko.com, Jared Stroud <dllcoolj@archcloudlabs.com>", "Subject": "[PATCH] adding check to prevent overflow in sqfs_find_inode", "Date": "Mon, 27 Apr 2026 20:31:00 -0400", "Message-ID": "<20260428003100.123201-1-dllcoolj@archcloudlabs.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Migadu-Flow": "FLOW_OUT", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.8 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "While fuzzing attributes of the squashfs_reg_inode structure, if the file_size attribute is a large value,\n&base->inode_number within the sqfs_find_inode function will jump to an arbitrary location \nin memory resulting in a invalid memory access and crash.\nThis bug is similar to CVE-2024-57254 in that memory operations are occurring based on inode values. \nI applied a similar fixed via the commmit c8e929e5758999933f9e905049ef2bf3fe6b140d.\n\nPrior to the fix, the bug was triggered via the following commands from\nthe U-Boot shell:\n\n```\n=> host bind 0 random3.sqfs\n=> ls host 0 /\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==122741==ERROR: AddressSanitizer: SEGV on unknown address 0x0000670e4716 (pc 0x55a504b86ea6 bp 0x000019af1280 sp 0x7fff04b3b740 T0)\n==122741==The signal is caused by a READ memory access.\n #0 0x55a504b86ea6 in sqfs_find_inode fs/squashfs/sqfs_inode.c:131\n #1 0x55a504b7f17e in sqfs_search_dir fs/squashfs/sqfs.c:489\n #2 0x55a504b80ffb in sqfs_opendir_nest fs/squashfs/sqfs.c:977\n #3 0x55a504b426e9 in fs_opendir fs/fs.c:669\n #4 0x55a504b42a6d in fs_ls_generic fs/fs.c:66\n #5 0x55a504b42dc8 in fs_ls fs/fs.c:537\n #6 0x55a504b42dc8 in do_ls fs/fs.c:881\n #7 0x55a504b42dc8 in do_ls.isra.0 fs/fs.c:870\n #8 0x55a504a0eb40 in cmd_call common/command.c:582\n #9 0x55a504a0eb40 in cmd_process common/command.c:637\n #10 0x55a5049f00c4 in run_pipe_real common/cli_hush.c:1672\n #11 0x55a5049f00c4 in run_list_real common/cli_hush.c:1868\n #12 0x55a5049f0800 in run_list common/cli_hush.c:2017\n #13 0x55a5049f0800 in parse_stream_outer common/cli_hush.c:3207\n #14 0x55a50492efcc in parse_file_outer common/cli_hush.c:3299\n #15 0x55a50492efcc in cli_loop common/cli.c:306\n #16 0x55a50492efcc in main_loop common/main.c:86\n #17 0x55a50492efcc in run_main_loop common/board_r.c:584\n #18 0x55a50492efcc in initcall_run_r common/board_r.c:776\n #19 0x55a50492efcc in board_init_r common/board_r.c:806\n #20 0x55a50492efcc in sandbox_main arch/sandbox/cpu/start.c:584\n #21 0x7f60aa6276c0 (/usr/lib/libc.so.6+0x276c0) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)\n #22 0x7f60aa6277f8 in __libc_start_main (/usr/lib/libc.so.6+0x277f8) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)\n #23 0x55a50491e414 in _start (/usr/src/u-boot/u-boot+0x285414) (BuildId: 964ae5120238bc46d7af63402fa25331ca86b3b4)\n\n==122741==Register values:\nrax = 0x00000000670e470a rbx = 0x000055a504ef7100 rcx = 0x0000000000020000 rdx = 0x0000000000000000 \nrdi = 0x0000000000006fd5 rsi = 0x0000000000007abd rbp = 0x0000000019af1280 rsp = 0x00007fff04b3b740 \n r8 = 0x000000004d5f348a r9 = 0x00000000670e4716 r10 = 0x0000000000000501 r11 = 0x0000000000000001 \nr12 = 0x0000000000000002 r13 = 0x0000000000000001 r14 = 0x00000000199caa00 r15 = 0x0000000000000001 \nAddressSanitizer can not provide additional info.\nSUMMARY: AddressSanitizer: SEGV fs/squashfs/sqfs_inode.c:131 in sqfs_find_inode\n```\n\n\nPost-patch, the following behavior is observed:\n=> host bind 0 random3.sqfs\n=> ls host 0 /\nError while searching inode: unknown type.\n\n\nSigned-off-by: Jared Stroud <dllcoolj@archcloudlabs.com>\n---\n fs/squashfs/sqfs_inode.c | 3 +++\n 1 file changed, 3 insertions(+)", "diff": "diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c\nindex ce9a8ff8e2a..d2efc07c78e 100644\n--- a/fs/squashfs/sqfs_inode.c\n+++ b/fs/squashfs/sqfs_inode.c\n@@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,\n \t\tif (sz < 0)\n \t\t\treturn NULL;\n \n+\t\tif (__builtin_add_overflow(offset, sz, &offset))\n+\t\t\treturn NULL;\n+\n \t\toffset += sz;\n \t}\n \n", "prefixes": [] }