| Age | Commit message (Collapse) | Author |
|---|
|
sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
15 bits encode the data size. Unlike sqfs_read_metablock() in
sqfs_inode.c, this function does not validate that the decoded size is
within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
set the size field to any value up to 32767, causing memcpy to write
past the 8192-byte 'entries' heap buffer.
Add the same bounds check used by sqfs_read_metablock(): reject any
metadata block header with SQFS_METADATA_SIZE(header) exceeding
SQFS_METADATA_BLOCK_SIZE.
Found by fuzzing with libFuzzer + AddressSanitizer.
Signed-off-by: Eric Kilmer <eric.kilmer@trailofbits.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
|
|
This series from Timo tp Preißl <t.preissl@proton.me> fixes some
(potential) interger overflows in some filesystems by using
__builtin_XXX_overflow helps to catch issues.
Link: https://lore.kernel.org/r/20260109112428.262793-1-t.preissl@proton.me
|
|
An integer overflow in gdsize_total calculation could lead
to under-allocation and heap buffer overflow.
Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
An integer overflow in length calculation could lead to
under-allocation and buffer overcopy.
Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
|
|
An integer overflow in nvlist size calculation could lead
to under-allocation and heap buffer overflow.
Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
An integer overflow in size calculations could lead to
under-allocation and potential heap buffer overflow.
Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
If zalloc fails, one needs to free memory previously
allocated in the function. This commit makes sure that
we do not leak any memory.
Signed-off-by: Francois Berder <fberder@outlook.fr>
Fixes: ed34f34dbaf2 ("ext4fs write support")
Acked-by: Quentin Schulz <quentin.schulz@cherry.de>
|
|
https://source.denx.de/u-boot/custodians/u-boot-socfpga into next
This pull request brings together a set of fixes and enhancements across
the SoCFPGA platform family, with a focus on MMC/SPL robustness, EFI
boot enablement, and Agilex5 SD/eMMC support.
CI: https://source.denx.de/u-boot/custodians/u-boot-socfpga/-/pipelines/28776
Highlights:
*
SPL / MMC:
o
Fix Kconfig handling for
SYS_MMCSD_RAW_MODE_U_BOOT_USE_PARTITION_TYPE
o
Correct raw sector calculations and respect explicit sector values
when loading U-Boot from MMC in SPL
o
Adjust raw MMC loading logic for SoCFPGA platforms
*
EFI boot:
o
Permit EFI booting on SoCFPGA platforms
o
Disable mkeficapsule tool build for Arria 10 where unsupported
*
Agilex5:
o
Upgrade SDHCI controller from SD4HC to SD6HC
o
Enable MMC and Cadence SDHCI support in defconfig
o
Add dedicated eMMC device tree and defconfig for Agilex5 SoCDK
o
Revert incorrect GPIO configuration for SDIO_SEL
o
Refine U-Boot DT handling for SD and eMMC boot variants
*
SPI:
o
Allow disabling the DesignWare SPI driver in SPL via Kconfig
*
Board / configuration fixes:
o
Enable random MAC address generation for Cyclone V
o
Fix DE0-Nano-SoC boot configuration
o
Remove obsolete or conflicting options from multiple legacy
SoCFPGA defconfigs
|
|
We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.
This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
Building this code on 64bit platforms leads to warnings (and so errors
in CI). Rather than rework the code, as this is a deprecated filesystem,
don't try and disallow building on 64bit hosts.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
If realloc failed, raw was not freed and thus memory
was leaked.
Signed-off-by: Francois Berder <fberder@outlook.fr>
|
|
After calling a function that can return an error, the test to detect
that error should use the return value not a different variable. Fix it.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Sean Anderson <sean.anderson@seco.com>
Fixes: f676b45151c3 ("fs: Add semihosting filesystem")
|
|
Testing an unsigned variable to be >= 0 will always be true so remove
this redundant test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
|
|
Returning immediately from sqfs_read_nest is not consistent with other
error checks in this function and can lead to memory leaks. Instead use
the unwind goto used elsewhere to ensure that the memory is freed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Acked-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
|
|
When adding filesystems to the table in fs/fs.c we need to use
CONFIG_IS_ENABLED(FS_xxx) so that we only include references to a given
filesystem when CONFIG_FS_xxx or CONFIG_SPL_FS_xxx or similar are
enabled. Update the filesystems which weren't doing this to follow that
pattern.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
Add a null check for 'file' before dereferencing it and also rework the
error handling to be a bit more sane.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
The return value from alloc_super can be an error pointer so the error
check needs to detect this as well as checking the pointer for being
NULL.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
Returning directly after buf has been allocated will result in a memory
leak. Instead set the error code and goto the common unwind code to
ensure that buf will be freed before returning.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
Add maximum ext4 journal entries to Kconfig. It is necessary since the
number of journal entries is proportional to disk capacity. For example,
an ext4 4TB HDD partition could require approximately 500 entries.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
Don't invoke ext4fs_deinit() in ext4fs_write() if the failure occurs
during initialization. It would result in a crash since ext4fs_init()
has already done that.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
Smatch reported a possible buffer overflow in exfat_set_label but it
turns out that this code is unused so just guard the function with
'#ifndef __UBOOT__' as well as exfat_get_label that is also unused and
the helper static find_label.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
Andrew Goodbody <andrew.goodbody@linaro.org> says:
Smatch reported issues with variables being dereferenced before NULL
checks and also testing an unsigned variable for being negative.
Link: https://lore.kernel.org/r/20250707-exfat_fix-v1-0-e5783978cd11@linaro.org
|
|
In exfat_generic_pread and exfat_generic_pwrite offset is passed in as a
off_t type which is defined as 'unsigned long long' so there is no need
to create the variable uoffset as a uint64_t as this is just a direct
copy of offset. Also remove the impossible test of 'offset < 0' as this
is always false due to offset being unsigned.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
In the functions exfat_pread and exfat_pwrite there is a NULL check for
ctxt.cur_dev but this has already been derefenced twice before this
happens.
Refactor the code a bit to put the NULL check first.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
multi is guaranteed to be NULL in the first two error exit paths so the
attempt to free it is not needed. Remove those calls.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
The assignments to sect and off use the pointer from ctxt.cur_dev but
that has not been NULL checked before this is done. So instead move the
assignments after the NULL check.
This issue found by Smatch
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Gao Xiang <xiang@kernel.org>
|
|
Andrew Goodbody <andrew.goodbody@linaro.org> says:
Smatch reported some issues in the ext4fs code. This includes a
suggestion to use an unwind goto, to not negate a return value and to
ensure that a NULL check happens before the pointer is dereferenced.
Link: https://lore.kernel.org/r/20250704-ext4fs_fix-v1-0-5c6acf4bf839@linaro.org
|
|
In the function put_ext4 there is a NULL check for fs->dev_desc but this
has already been derefenced twice before this happens. Refactor the code
a bit to put the NULL check first.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
Ensure that allocated memory is freed on error exit replace the direct
return calls with 'goto fail'.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
In ext4fs_readdir it calls ext4fs_read_file and checks the return value
for non-zero to detect an error. This return value should be returned as
is rather than being negated.
This issue found by Smatch
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
|
|
Return ENOMEM in ext4fs_log_gdt when number of blocks per gdt is more than
number of allocated journal entries.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
|
|
There currently are multiple allocation API's in the LMB module. There
are a couple of API's for allocating memory(lmb_alloc() and
lmb_alloc_base()), and then there are two for requesting a reservation
for a particular memory region (lmb_reserve() and
lmb_alloc_addr()). Introduce a single API lmb_alloc_mem() which will
cater to all types of allocation requests and replace lmb_reserve()
and lmb_alloc_addr() with the new API.
Moreover, the lmb_reserve() API is pretty similar to the
lmb_alloc_addr() API, with the one difference being that the
lmb_reserve() API allows for reserving any address passed to it --
the address need not be part of the LMB memory map. The
lmb_alloc_addr() does check that the address being requested is
actually part of the LMB memory map.
There is no need to support reserving memory regions which are outside
the LMB memory map. Remove the lmb_reserve() API functionality and use
the functionality provided by lmb_alloc_addr() instead. The
lmb_alloc_addr() will check if the requested address is part of the
LMB memory map and return an error if not.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
|
|
Use lbaint_t for blknr to avoid overflow in ext4fs_read_file().
Background:
blknr (block number) used in ext4fs_read_file() could be increased to a
very large value and causes a wrap around at 32 bit signed integer max,
thus becomes negative. This results in an out-of-normal range for sector
number (during the assignment delayed_start = blknr) where delayed_start
sector is typed uint64 lbaint_t. This causes the "Read outside partition"
error.
Looks like we also have this overflown problem in ext4_write.c that needs
to be addressed.
This patch was tested on the Synology DS116 (Armada 385) board, and a
4TB Seagate HDD.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
|
|
Prepare v2025.07-rc4
|
|
The issue here is that the function read_allocated_block() will report
problems via a negative return value. If we say the return value is
stored in an lbaint_t that can no longer happen (and Coverity discovered
this by reporting a no effect comparison and then dead code). The
problem being fixed by allowing for storing a larger block number will
have to be solved in some other manner.
This reverts commit df2ed552f0b05591090369a7fe7ddc92439dea5c.
Addresses-Coverity-ID: 131183
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
Prepare v2025.07-rc3
|
|
Use lbaint_t for blknr to avoid overflow in ext4fs_read_file().
Background:
blknr (block number) used in ext4fs_read_file() could be increased to a
very large value and causes a wrap around at 32 bit signed integer max,
thus becomes negative. This results in an out-of-normal range for sector
number (during the assignment delayed_start = blknr) where delayed_start
sector is typed uint64 lbaint_t. This causes the "Read outside partition"
error.
This patch was tested on the Synology DS116 (Armada 385) board, and a
4TB Seagate HDD.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
|
|
Log the error if fs_devread() fails when trying to reading outside
partition. This will make bug reporting easier.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
|
|
CRC16 is used in ext4_common.c. Build fails without it.
PS:
This is my first patch sent to a mailing list.
If there is anything wrong with it (email format, whitespace, etc.)
please let me know.
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
|
|
This file references rtc functions and implicitly includes <rtc.h>
today. Add this explicitly.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
This file references rtc functions and implicitly includes <rtc.h>
today. Add this explicitly.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
Make sure unused exfat_humanize_bytes() and exfat_print_info()
functions are not compiled into U-Boot code base. This also removes
CID 550300: Integer handling issues (INTEGER_OVERFLOW)
in exfat_humanize_bytes() , which is now surely unreachable.
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
In case the filename is too long, longer than PATH_MAX - 1, it
would overflow dirs->dirname array. Add missing check and also
use strncpy() to prevent the overflow in any case.
Fixes CID 550305: Security best practices violations (STRING_OVERFLOW)
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
* Use calloc() to allocate token_list. This avoids an illegal free if
sqfs_tokenize() fails.
* Do not iterate over token_list if it has not been allocated.
Addresses-Coverity-ID: 510453: Null pointer dereferences (FORWARD_NULL)
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
|
|
Implement exfat_fs_rename() to rename or move files. This is used
by the 'mv' generic FS interface command. The rename implementation
for other filesystems was added recently and was not part of exfat
porting layer due to merge issue, which made 'mv' command crash,
fix this by adding the missing implementation.
Fixes: b86a651b646c ("fs: exfat: Add U-Boot porting layer")
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
The exfat_fs_exists() should return 0 in case the path does not exist,
and 1 in case the path does exist. Fix the inverted return value. This
fixes 'test -e' command with exfat.
Fixes: b86a651b646c ("fs: exfat: Add U-Boot porting layer")
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
The exfat_fs_readdir() depends on state created in exfat_fs_opendir(),
but that state may be disrupted by fs_close() called by the FS layer
in fs_opendir(), because exfat porting layer unmounts the filesystem
in ->close() callback.
To avoid this disruption, avoid creating state in exfat_fs_opendir(),
cache only the directory name to list there, and rework exfat_fs_readdir()
to work in a similar way to exfat_fs_ls(). That is, make exfat_fs_readdir()
open the directory, look up specific entry, extract its properties to be
reported to FS layer, and close the directory. This is slow, but avoids
the disruption. The slowness does not affect regular 'ls' command, which
uses exfat_fs_ls() fast path.
Fixes: b86a651b646c ("fs: exfat: Add U-Boot porting layer")
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
Write into a bogus file, like '/.', triggers an "impossible"
print from the exfat core code. That should not be printed
in U-Boot, because U-Boot prints its own error message sooner.
Inhibit this error message.
The following command triggers the bogus print:
"
=> save host 0:0 1000008 /. 0x10
"
Fixes: b86a651b646c ("fs: exfat: Add U-Boot porting layer")
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
Make sure the node is never dirty before being released, flush
the node first using exfat_flush_node() and only then release
the node using exfat_put_node(). This now matches the behavior
of exfat_fs_write() too.
Fixes: b86a651b646c ("fs: exfat: Add U-Boot porting layer")
Signed-off-by: Marek Vasut <marex@denx.de>
|
|
Tom Rini <trini@konsulko.com> says:
This series switches to always using $(PHASE_) in Makefiles when
building rather than $(PHASE_) or $(XPL_). It also starts on documenting
this part of the build, but as a follow-up we need to rename
doc/develop/spl.rst and expand on explaining things a bit.
Link: https://lore.kernel.org/r/20250401225851.1125678-1-trini@konsulko.com
|
