Published:2022/07/12  Last Updated:2022/07/20

JVNVU#97846460
U-Boot squashfs filesystem implementation vulnerable to heap-based buffer overflow

Overview

squashfs filesystem implementation of U-Boot contains a heap-based buffer overflow vulnerability.

Products Affected

  • U-Boot versions from v2020.10-rc2 to v2022.07-rc5

Description

U-Boot is a boot loader for multiple platforms, and squashfs filesystem feature is provided since v2020.10-rc2 (commit c5100613). squashfs filesystem implementation of U-Boot contains a heap-based buffer overflow vulnerability (CWE-122) due to a defect in the metadata reading process.

Impact

Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or an arbitrary code being executed.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has included the fix in U-Boot v2022.07-rc6.

Vendor Status

Vendor Link
DENX Software Engineering U-Boot
U-Boot mailing list: [v2] fs/squashfs: Use kcalloc when relevant
Commit 7f7fb993: fs/squashfs: Use kcalloc when relevant

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 6.6
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Tatsuhiko Yasumatsu of Sony Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated between the reporter and the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-33967
JVN iPedia

Update History

2022/07/20
Version information under the section [Products Affected], [Description] and [Solution] are updated.