{"id":2229279,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229279/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260428003100.123201-1-dllcoolj@archcloudlabs.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.1/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260428003100.123201-1-dllcoolj@archcloudlabs.com>","date":"2026-04-28T00:31:00","name":"adding check to prevent overflow in sqfs_find_inode","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"0eb724c566f6b4ba9a453f69ebf6bb0957ee161f","submitter":{"id":93259,"url":"http://patchwork.ozlabs.org/api/1.1/people/93259/?format=json","name":"Jared Stroud","email":"dllcoolj@archcloudlabs.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260428003100.123201-1-dllcoolj@archcloudlabs.com/mbox/","series":[{"id":501754,"url":"http://patchwork.ozlabs.org/api/1.1/series/501754/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=501754","date":"2026-04-28T00:31:00","name":"adding check to prevent overflow in sqfs_find_inode","version":1,"mbox":"http://patchwork.ozlabs.org/series/501754/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229279/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229279/checks/","tags":{},"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=archcloudlabs.com header.i=@archcloudlabs.com\n header.a=rsa-sha256 header.s=key1 header.b=AX9jK1MJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=archcloudlabs.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=archcloudlabs.com header.i=@archcloudlabs.com\n header.b=\"AX9jK1MJ\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=archcloudlabs.com","phobos.denx.de;\n spf=pass smtp.mailfrom=dllcoolj@archcloudlabs.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4QXX5b5fz1yHX\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 13:14:52 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id A6478842A2;\n\tTue, 28 Apr 2026 05:14:50 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 809A48426C; Tue, 28 Apr 2026 05:14:49 +0200 (CEST)","from out-172.mta1.migadu.com (out-172.mta1.migadu.com\n [95.215.58.172])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 675CB84258\n for <u-boot@lists.denx.de>; Tue, 28 Apr 2026 05:14:47 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=archcloudlabs.com;\n s=key1; t=1777336307;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding;\n bh=gzWyTQ54ibAMIDGAOoDibXbskSUiC+tw4kNw87MOoCY=;\n b=AX9jK1MJJUSqyJPPxyk4Xd6gxWXs1HKRVlPt9ImT2x2opNs7PJf/leYmxSvRxXeiU7ybvc\n XcBjqvIhC6KmaLL781IFfuRv9sSEVkWsqN4MWnAnFCeZ19USyEHwji3IiL2K01hGdtP756\n 3sTr2pB6i/GhviZceNhjexn3DrADaGxAdn3g7YvQ3HKbpDMe1KuYdwzZnCZUs1w/LLTSzX\n hPSv34sRJ7BJ+2wyNE3dwMPZISXIM8fDMPE9NddfWVKPAThuG+6HASrF3e96GqzcbvYd7l\n 4n0QRCZ85D5U5+w9qyl/aDg/VjE4SXPjM7MCkH0uTuVfQ0ecNrmQOrExumrvLw==","From":"Jared Stroud <dllcoolj@archcloudlabs.com>","To":"u-boot@lists.denx.de","Cc":"joaomarcos.costa@bootlin.com, richard.genoud@bootlin.com,\n thomas.petazzoni@bootlin.com, miquel.raynal@bootlin.com,\n trini@konsulko.com, Jared Stroud <dllcoolj@archcloudlabs.com>","Subject":"[PATCH] adding check to prevent overflow in sqfs_find_inode","Date":"Mon, 27 Apr 2026 20:31:00 -0400","Message-ID":"<20260428003100.123201-1-dllcoolj@archcloudlabs.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Migadu-Flow":"FLOW_OUT","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"While fuzzing attributes of the squashfs_reg_inode structure, if the file_size attribute is a large value,\n&base->inode_number within the sqfs_find_inode function will jump to an arbitrary location \nin memory resulting in a invalid memory access and crash.\nThis bug is similar to CVE-2024-57254 in that memory operations are occurring based on inode values.                                               \nI applied a similar fixed via the commmit c8e929e5758999933f9e905049ef2bf3fe6b140d.\n\nPrior to the fix, the bug was triggered via the following commands from\nthe U-Boot shell:\n\n```\n=> host bind 0 random3.sqfs\n=> ls host 0 /\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==122741==ERROR: AddressSanitizer: SEGV on unknown address 0x0000670e4716 (pc 0x55a504b86ea6 bp 0x000019af1280 sp 0x7fff04b3b740 T0)\n==122741==The signal is caused by a READ memory access.\n    #0 0x55a504b86ea6 in sqfs_find_inode fs/squashfs/sqfs_inode.c:131\n    #1 0x55a504b7f17e in sqfs_search_dir fs/squashfs/sqfs.c:489\n    #2 0x55a504b80ffb in sqfs_opendir_nest fs/squashfs/sqfs.c:977\n    #3 0x55a504b426e9 in fs_opendir fs/fs.c:669\n    #4 0x55a504b42a6d in fs_ls_generic fs/fs.c:66\n    #5 0x55a504b42dc8 in fs_ls fs/fs.c:537\n    #6 0x55a504b42dc8 in do_ls fs/fs.c:881\n    #7 0x55a504b42dc8 in do_ls.isra.0 fs/fs.c:870\n    #8 0x55a504a0eb40 in cmd_call common/command.c:582\n    #9 0x55a504a0eb40 in cmd_process common/command.c:637\n    #10 0x55a5049f00c4 in run_pipe_real common/cli_hush.c:1672\n    #11 0x55a5049f00c4 in run_list_real common/cli_hush.c:1868\n    #12 0x55a5049f0800 in run_list common/cli_hush.c:2017\n    #13 0x55a5049f0800 in parse_stream_outer common/cli_hush.c:3207\n    #14 0x55a50492efcc in parse_file_outer common/cli_hush.c:3299\n    #15 0x55a50492efcc in cli_loop common/cli.c:306\n    #16 0x55a50492efcc in main_loop common/main.c:86\n    #17 0x55a50492efcc in run_main_loop common/board_r.c:584\n    #18 0x55a50492efcc in initcall_run_r common/board_r.c:776\n    #19 0x55a50492efcc in board_init_r common/board_r.c:806\n    #20 0x55a50492efcc in sandbox_main arch/sandbox/cpu/start.c:584\n    #21 0x7f60aa6276c0  (/usr/lib/libc.so.6+0x276c0) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)\n    #22 0x7f60aa6277f8 in __libc_start_main (/usr/lib/libc.so.6+0x277f8) (BuildId: ca0db5ab57a36507d61bbcf4988d344974331f19)\n    #23 0x55a50491e414 in _start (/usr/src/u-boot/u-boot+0x285414) (BuildId: 964ae5120238bc46d7af63402fa25331ca86b3b4)\n\n==122741==Register values:\nrax = 0x00000000670e470a  rbx = 0x000055a504ef7100  rcx = 0x0000000000020000  rdx = 0x0000000000000000  \nrdi = 0x0000000000006fd5  rsi = 0x0000000000007abd  rbp = 0x0000000019af1280  rsp = 0x00007fff04b3b740  \n r8 = 0x000000004d5f348a   r9 = 0x00000000670e4716  r10 = 0x0000000000000501  r11 = 0x0000000000000001  \nr12 = 0x0000000000000002  r13 = 0x0000000000000001  r14 = 0x00000000199caa00  r15 = 0x0000000000000001  \nAddressSanitizer can not provide additional info.\nSUMMARY: AddressSanitizer: SEGV fs/squashfs/sqfs_inode.c:131 in sqfs_find_inode\n```\n\n\nPost-patch, the following behavior is observed:\n=> host bind 0 random3.sqfs\n=> ls host 0 /\nError while searching inode: unknown type.\n\n\nSigned-off-by: Jared Stroud <dllcoolj@archcloudlabs.com>\n---\n fs/squashfs/sqfs_inode.c | 3 +++\n 1 file changed, 3 insertions(+)","diff":"diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c\nindex ce9a8ff8e2a..d2efc07c78e 100644\n--- a/fs/squashfs/sqfs_inode.c\n+++ b/fs/squashfs/sqfs_inode.c\n@@ -135,6 +135,9 @@ void *sqfs_find_inode(void *inode_table, int inode_number, __le32 inode_count,\n \t\tif (sz < 0)\n \t\t\treturn NULL;\n \n+\t\tif (__builtin_add_overflow(offset, sz, &offset))\n+\t\t\treturn NULL;\n+\n \t\toffset += sz;\n \t}\n \n","prefixes":[]}