poky/meta/recipes-devtools/erofs-utils/files/0002-erofs-utils-fsck-block-insane-long-paths-when-extrac.patch - openbmc/openbmc - Gitiles

 From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001
 From: Gao Xiang <hsiangkao@linux.alibaba.com>
 Date: Fri, 2 Jun 2023 13:52:56 +0800
 Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when
  extracting images

 Since some crafted EROFS filesystem images could have insane deep
 hierarchy (or may form directory loops) which triggers the
 PATH_MAX-sized path buffer OR stack overflow.

 Actually some crafted images cannot be deemed as real corrupted
 images but over-PATH_MAX paths are not something that we'd like to
 support for now.

 CVE: CVE-2023-33551
 Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
 Reported-by: Chaoming Yang <lometsj@live.com>
 Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
 Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
 Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
 Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
 Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com

 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 ---
  fsck/main.c | 23 +++++++++++++++--------
  1 file changed, 15 insertions(+), 8 deletions(-)

 diff --git a/fsck/main.c b/fsck/main.c
 index 6689ad8..28d95ec 100644
 --- a/fsck/main.c
 +++ b/fsck/main.c
 @@ -680,28 +680,35 @@ again:
  static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
  {
  	int ret;
 -	size_t prev_pos = fsckcfg.extract_pos;
 +	size_t prev_pos, curr_pos;

  	if (ctx->dot_dotdot)
  		return 0;

 -	if (fsckcfg.extract_path) {
 -		size_t curr_pos = prev_pos;
 +	prev_pos = fsckcfg.extract_pos;
 +	curr_pos = prev_pos;
 +
 +	if (prev_pos + ctx->de_namelen >= PATH_MAX) {
 +		erofs_err("unable to fsck since the path is too long (%u)",
 +			  curr_pos + ctx->de_namelen);
 +		return -EOPNOTSUPP;
 +	}

 +	if (fsckcfg.extract_path) {
  		fsckcfg.extract_path[curr_pos++] = '/';
  		strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
  			ctx->de_namelen);
  		curr_pos += ctx->de_namelen;
  		fsckcfg.extract_path[curr_pos] = '\0';
 -		fsckcfg.extract_pos = curr_pos;
 +	} else {
 +		curr_pos += ctx->de_namelen;
  	}
 -
 +	fsckcfg.extract_pos = curr_pos;
  	ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);

 -	if (fsckcfg.extract_path) {
 +	if (fsckcfg.extract_path)
  		fsckcfg.extract_path[prev_pos] = '\0';
 -		fsckcfg.extract_pos = prev_pos;
 -	}
 +	fsckcfg.extract_pos = prev_pos;
  	return ret;
  }

 --
 2.34.1
	From 6cebfbb79b1d5d8feb48801e1008eea5bfa8b599 Mon Sep 17 00:00:00 2001
	From: Gao Xiang <hsiangkao@linux.alibaba.com>
	Date: Fri, 2 Jun 2023 13:52:56 +0800
	Subject: [PATCH 2/2] erofs-utils: fsck: block insane long paths when
	extracting images

	Since some crafted EROFS filesystem images could have insane deep
	hierarchy (or may form directory loops) which triggers the
	PATH_MAX-sized path buffer OR stack overflow.

	Actually some crafted images cannot be deemed as real corrupted
	images but over-PATH_MAX paths are not something that we'd like to
	support for now.

	CVE: CVE-2023-33551
	Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
	Reported-by: Chaoming Yang <lometsj@live.com>
	Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
	Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
	Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
	Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
	Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com

	Upstream-Status: Backport
	Signed-off-by: Ross Burton <ross.burton@arm.com>
	---
	fsck/main.c \| 23 +++++++++++++++--------
	1 file changed, 15 insertions(+), 8 deletions(-)

	diff --git a/fsck/main.c b/fsck/main.c
	index 6689ad8..28d95ec 100644
	--- a/fsck/main.c
	+++ b/fsck/main.c
	@@ -680,28 +680,35 @@ again:
	static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
	{
	int ret;
	- size_t prev_pos = fsckcfg.extract_pos;
	+ size_t prev_pos, curr_pos;

	if (ctx->dot_dotdot)
	return 0;

	- if (fsckcfg.extract_path) {
	- size_t curr_pos = prev_pos;
	+ prev_pos = fsckcfg.extract_pos;
	+ curr_pos = prev_pos;
	+
	+ if (prev_pos + ctx->de_namelen >= PATH_MAX) {
	+ erofs_err("unable to fsck since the path is too long (%u)",
	+ curr_pos + ctx->de_namelen);
	+ return -EOPNOTSUPP;
	+ }

	+ if (fsckcfg.extract_path) {
	fsckcfg.extract_path[curr_pos++] = '/';
	strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
	ctx->de_namelen);
	curr_pos += ctx->de_namelen;
	fsckcfg.extract_path[curr_pos] = '\0';
	- fsckcfg.extract_pos = curr_pos;
	+ } else {
	+ curr_pos += ctx->de_namelen;
	}
	-
	+ fsckcfg.extract_pos = curr_pos;
	ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);

	- if (fsckcfg.extract_path) {
	+ if (fsckcfg.extract_path)
	fsckcfg.extract_path[prev_pos] = '\0';
	- fsckcfg.extract_pos = prev_pos;
	- }
	+ fsckcfg.extract_pos = prev_pos;
	return ret;
	}

	--
	2.34.1