[OE-core] [daisy][PATCH] squashfs-tools: enable building unsquashfs and fix squashfs-4.2-fix-CVE-2012-4025.patch
Martin Jansa
martin.jansa at gmail.com
Thu May 21 11:23:15 UTC 2015
* build unsqaushfs, useful when debuging corrupt squashfs from
mksquashfs
* squashfs-4.2-fix-CVE-2012-4025.patch fixes CVE in unsquashfs which we
weren't building and it actually breaks building it, because someone
missed squashfs_fs.h change from the original change
* add git headers in all patches and fix references to new github
repository
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
---
.../squashfs-4.2-fix-CVE-2012-4024.patch | 32 ++++++++++++-----
.../squashfs-4.2-fix-CVE-2012-4025.patch | 40 ++++++++++++++++++----
...dd-a-commment-and-fix-some-other-comments.patch | 27 +++++++++++----
.../squashfs-fix-open-file-limit.patch | 29 +++++++++++-----
.../squashfs-tools/squashfs-tools_4.2.bb | 7 ++--
5 files changed, 101 insertions(+), 34 deletions(-)
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch
index 8b9904f..52af602 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -1,7 +1,12 @@
+From bf9776123b854ce30a21403e4df4d4f5deb6af91 Mon Sep 17 00:00:00 2001
+From: "yanjun.zhu" <yanjun.zhu at windriver.com>
+Date: Wed, 20 May 2015 18:14:12 +0200
+Subject: [PATCH 3/4] Fix CVE-2012-4024
+
Upstream-Status: Backport
-Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
-squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
+Reference:
+https://github.com/plougher/squashfs-tools/commit/19c38fba0be1ce949ab44310d7f49887576cc123
Fix potential stack overflow in get_component() where an individual
pathname component in an extract file (specified on the command line
@@ -12,10 +17,16 @@ Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.
Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
-diff -urpN a/unsquashfs.c b/unsquashfs.c
---- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
-+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
-@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
+Signed-off-by: Martin Jansa <martin.jansa at lge.com>
+---
+ squashfs-tools/unsquashfs.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/unsquashfs.c b/unsquashfs.c
+index d532486..4fc04e8 100644
+--- a/unsquashfs.c
++++ b/unsquashfs.c
+@@ -1076,15 +1076,18 @@ void squashfs_closedir(struct dir *dir)
}
@@ -37,7 +48,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
return target;
}
-@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
+@@ -1110,12 +1113,12 @@ void free_path(struct pathname *paths)
struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
{
@@ -52,7 +63,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
if(paths == NULL) {
paths = malloc(sizeof(struct pathname));
-@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
+@@ -1139,7 +1142,7 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
sizeof(struct path_entry));
if(paths->name == NULL)
EXIT_UNSQUASH("Out of memory in add_path\n");
@@ -61,7 +72,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
paths->name[i].paths = NULL;
if(use_regex) {
paths->name[i].preg = malloc(sizeof(regex_t));
-@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
+@@ -1172,6 +1175,8 @@ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
/*
* existing matching entry
*/
@@ -70,3 +81,6 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
if(paths->name[i].paths == NULL) {
/*
* No sub-directory which means this is the leaf
+--
+2.1.4
+
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch
index 0dabfba..a5cdecf 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch
@@ -1,7 +1,11 @@
+From fef997df2a1d6609af55e30eb67b65c786588fcb Mon Sep 17 00:00:00 2001
+From: "yanjun.zhu" <yanjun.zhu at windriver.com>
+Date: Wed, 20 May 2015 18:18:47 +0200
+Subject: [PATCH 4/4] Fix CVE-2012-4025
+
Upstream-Status: Backport
-Reference: http://squashfs.git.sourceforge.net/git/gitweb.cgi?
-p=squashfs/squashfs;a=patch;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e
+Reference: https://github.com/plougher/squashfs-tools/commit/8515b3d420f502c5c0236b86e2d6d7e3b23c190e
Integer overflow in the queue_init function in unsquashfs.c in
unsquashfs in Squashfs 4.2 and earlier allows remote attackers
@@ -10,10 +14,29 @@ superblock of a .sqsh file, leading to a heap-based buffer overflow.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025
-Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+Signed-off-by: Martin Jansa <martin.jansa at lge.com>
+---
+ squashfs-tools/squashfs_fs.h | 1 +
+ squashfs-tools/unsquashfs.c | 110 +++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 103 insertions(+), 8 deletions(-)
---- a/unsquashfs.c 2012-11-30 17:57:57.000000000 +0800
-+++ b/unsquashfs.c 2012-11-30 17:58:09.000000000 +0800
+diff --git a/squashfs_fs.h b/squashfs_fs.h
+index d4fba1b..6227be2 100644
+--- a/squashfs_fs.h
++++ b/squashfs_fs.h
+@@ -39,6 +39,7 @@
+ #define SQUASHFS_FILE_LOG 17
+
+ #define SQUASHFS_FILE_MAX_SIZE 1048576
++#define SQUASHFS_FILE_MAX_LOG 20
+
+ /* Max number of uids and gids */
+ #define SQUASHFS_IDS 65536
+diff --git a/unsquashfs.c b/unsquashfs.c
+index 4fc04e8..078d6ca 100644
+--- a/unsquashfs.c
++++ b/unsquashfs.c
@@ -33,6 +33,7 @@
#include <sys/types.h>
#include <sys/time.h>
@@ -58,7 +81,7 @@ Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
queue->data = malloc(sizeof(void *) * (size + 1));
if(queue->data == NULL)
EXIT_UNSQUASH("Out of memory in queue_init\n");
-@@ -1948,13 +1971,30 @@ void initialise_threads(int fragment_buf
+@@ -1948,13 +1971,30 @@ void initialise_threads(int fragment_buffer_size, int data_buffer_size)
* allocate to_reader, to_deflate and to_writer queues. Set based on
* open file limit and cache size, unless open file limit is unlimited,
* in which case set purely based on cache limits
@@ -90,7 +113,7 @@ Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
to_reader = queue_init(all_buffers_size);
to_deflate = queue_init(all_buffers_size);
-@@ -2059,6 +2099,32 @@ void progress_bar(long long current, lon
+@@ -2059,6 +2099,32 @@ void progress_bar(long long current, long long max, int columns)
}
@@ -188,3 +211,6 @@ Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
initialise_threads(fragment_buffer_size, data_buffer_size);
fragment_data = malloc(block_size);
+--
+2.1.4
+
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-add-a-commment-and-fix-some-other-comments.patch b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-add-a-commment-and-fix-some-other-comments.patch
index fa075f9..9d3a300 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-add-a-commment-and-fix-some-other-comments.patch
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-add-a-commment-and-fix-some-other-comments.patch
@@ -1,13 +1,23 @@
+From 376dcb8ce2c9a6dab59e0a62a86549a490dee014 Mon Sep 17 00:00:00 2001
+From: "yanjun.zhu" <yanjun.zhu at windriver.com>
+Date: Wed, 20 May 2015 18:16:53 +0200
+Subject: [PATCH 1/4] Add a comment and fix some other comments
+
Upstream-Status: Backport
unsquashfs: add a commment and fix some other comments
-Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+Signed-off-by: Martin Jansa <martin.jansa at lge.com>
+---
+ squashfs-tools/unsquashfs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
-diff -urpN a/unsquashfs.c b/unsquashfs.c
---- a/unsquashfs.c 2012-11-30 15:27:14.000000000 +0800
-+++ b/unsquashfs.c 2012-11-30 15:27:56.000000000 +0800
-@@ -814,7 +814,7 @@ int write_file(struct inode *inode, char
+diff --git a/unsquashfs.c b/unsquashfs.c
+index 529dfac..4f26e18 100644
+--- a/unsquashfs.c
++++ b/unsquashfs.c
+@@ -814,7 +814,7 @@ int write_file(struct inode *inode, char *pathname)
/*
* the writer thread is queued a squashfs_file structure describing the
@@ -16,7 +26,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
* queued separately (references to blocks in the cache).
*/
file->fd = file_fd;
-@@ -838,7 +838,7 @@ int write_file(struct inode *inode, char
+@@ -838,7 +838,7 @@ int write_file(struct inode *inode, char *pathname)
block->offset = 0;
block->size = i == file_end ? inode->data & (block_size - 1) :
block_size;
@@ -25,7 +35,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
block->buffer = NULL;
else {
block->buffer = cache_get(data_cache, start,
-@@ -2161,6 +2161,10 @@ options:
+@@ -2156,6 +2156,10 @@ options:
block_size = sBlk.s.block_size;
block_log = sBlk.s.block_log;
@@ -36,3 +46,6 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
fragment_buffer_size <<= 20 - block_log;
data_buffer_size <<= 20 - block_log;
initialise_threads(fragment_buffer_size, data_buffer_size);
+--
+2.1.4
+
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-fix-open-file-limit.patch b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-fix-open-file-limit.patch
index c60f7b4..7c89dc0 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-fix-open-file-limit.patch
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-fix-open-file-limit.patch
@@ -1,3 +1,8 @@
+From b8047131516fb39adce68f4734ff5fc178be275b Mon Sep 17 00:00:00 2001
+From: "yanjun.zhu" <yanjun.zhu at windriver.com>
+Date: Wed, 20 May 2015 18:17:45 +0200
+Subject: [PATCH 2/4] Fix open file limit
+
Upstream-Status: Backport
unsquashfs: fix open file limit
@@ -30,11 +35,16 @@ track the amount of open files.
Signed-off-by: Phillip Lougher <phillip at squashfs.org.uk>
-Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+Signed-off-by: Martin Jansa <martin.jansa at lge.com>
+---
+ squashfs-tools/unsquashfs.c | 134 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 126 insertions(+), 8 deletions(-)
-diff -urpN a/unsquashfs.c b/unsquashfs.c
---- a/unsquashfs.c 2012-11-30 15:31:29.000000000 +0800
-+++ b/unsquashfs.c 2012-11-30 15:32:03.000000000 +0800
+diff --git a/unsquashfs.c b/unsquashfs.c
+index 4f26e18..d532486 100644
+--- a/unsquashfs.c
++++ b/unsquashfs.c
@@ -31,6 +31,8 @@
#include <sys/sysinfo.h>
@@ -91,7 +101,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
int write_file(struct inode *inode, char *pathname)
{
unsigned int file_fd, i;
-@@ -794,8 +836,8 @@ int write_file(struct inode *inode, char
+@@ -794,8 +836,8 @@ int write_file(struct inode *inode, char *pathname)
TRACE("write_file: regular file, blocks %d\n", inode->blocks);
@@ -102,7 +112,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
if(file_fd == -1) {
ERROR("write_file: failed to create file %s, because %s\n",
pathname, strerror(errno));
-@@ -1712,7 +1754,7 @@ void *writer(void *arg)
+@@ -1707,7 +1749,7 @@ void *writer(void *arg)
}
}
@@ -111,7 +121,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
if(failed == FALSE)
set_attributes(file->pathname, file->mode, file->uid,
file->gid, file->time, file->xattr, force);
-@@ -1803,9 +1845,9 @@ void *progress_thread(void *arg)
+@@ -1798,9 +1840,9 @@ void *progress_thread(void *arg)
void initialise_threads(int fragment_buffer_size, int data_buffer_size)
{
@@ -123,7 +133,7 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
sigemptyset(&sigmask);
sigaddset(&sigmask, SIGINT);
-@@ -1841,10 +1883,86 @@ void initialise_threads(int fragment_buf
+@@ -1836,10 +1878,86 @@ void initialise_threads(int fragment_buffer_size, int data_buffer_size)
EXIT_UNSQUASH("Out of memory allocating thread descriptors\n");
deflator_thread = &thread[3];
@@ -213,3 +223,6 @@ diff -urpN a/unsquashfs.c b/unsquashfs.c
fragment_cache = cache_init(block_size, fragment_buffer_size);
data_cache = cache_init(block_size, data_buffer_size);
pthread_create(&thread[0], NULL, reader, NULL);
+--
+2.1.4
+
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index 57400cd..8fdb810 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -30,11 +30,12 @@ S = "${WORKDIR}/squashfs${PV}/squashfs-tools"
EXTRA_OEMAKE = "MAKEFLAGS= LZMA_SUPPORT=1 LZMA_DIR=../.. XZ_SUPPORT=1"
do_compile() {
- oe_runmake mksquashfs
+ oe_runmake mksquashfs unsquashfs
}
do_install () {
- install -d ${D}${sbindir}
- install -m 0755 mksquashfs ${D}${sbindir}/
+ install -d ${D}${sbindir}
+ install -m 0755 mksquashfs ${D}${sbindir}/
+ install -m 0755 unsquashfs ${D}${sbindir}/
}
ARM_INSTRUCTION_SET = "arm"
--
2.4.1
More information about the Openembedded-core
mailing list