squashfs: Add security hardening based on CVE research · gazagnaire.org/ocaml-squashfs@88a81cf

+69 -3

fuzz/fuzz_squashfs.ml

··· 6 6 (** Fuzz tests for SquashFS. 7 7 8 8 Key properties tested: 1. No crashes on malformed input 2. Parser handles 9 - truncated data gracefully *) 9 + truncated data gracefully 3. Security limits enforced on crafted values 10 + 11 + CVE references: 12 + - CVE-2015-4645: Integer overflow in read_fragment_table_4 13 + - CVE-2015-4646: DoS via crafted input 14 + - CVE-2012-4025: Integer overflow via crafted block_log 15 + - CVE-2021-40153: Directory traversal via symbolic link 16 + 17 + See: 18 + https://www.cvedetails.com/vulnerability-list/vendor_id-16355/Squashfs-Project.html 19 + *) 10 20 11 21 open Crowbar 12 22 ··· 19 29 20 30 (* Property 2: Valid magic prefix still handles corruption *) 21 31 let test_corrupted_after_magic input = 22 - (* Create data with valid magic but random rest *) 23 32 let magic = "hsqs" in 24 33 let data = magic ^ input in 25 34 match Squashfs.of_string data with Ok _ -> () | Error _ -> () 26 35 36 + (* Property 3: Superblock with crafted values - CVE-2012-4025, CVE-2015-4645 *) 37 + let test_crafted_superblock block_size inode_count id_count = 38 + let data = Bytes.make 100 '\x00' in 39 + (* Magic *) 40 + Bytes.set data 0 '\x68'; 41 + Bytes.set data 1 '\x73'; 42 + Bytes.set data 2 '\x71'; 43 + Bytes.set data 3 '\x73'; 44 + (* inode_count at offset 4 *) 45 + Bytes.set_int32_le data 4 (Int32.of_int inode_count); 46 + (* block_size at offset 12 *) 47 + Bytes.set_int32_le data 12 (Int32.of_int block_size); 48 + (* compression = gzip *) 49 + Bytes.set data 20 '\x01'; 50 + (* id_count at offset 26 *) 51 + Bytes.set data 26 (Char.chr (id_count land 0xff)); 52 + Bytes.set data 27 (Char.chr ((id_count lsr 8) land 0xff)); 53 + (* version = 4.0 *) 54 + Bytes.set data 28 '\x04'; 55 + match Squashfs.of_string (Bytes.to_string data) with 56 + | Ok _ -> () 57 + | Error _ -> () 58 + 59 + (* Property 4: Path traversal detection - CVE-2021-40153 *) 60 + let test_symlink_traversal target = 61 + let has_traversal = Squashfs.is_path_traversal target in 62 + let has_dotdot = 63 + String.split_on_char '/' target |> List.exists (fun s -> s = "..") 64 + in 65 + let is_absolute = String.length target > 0 && target.[0] = '/' in 66 + (* Verify is_path_traversal catches all dangerous patterns *) 67 + if has_dotdot || is_absolute then 68 + if not has_traversal then 69 + failf "is_path_traversal missed dangerous target: %s" target 70 + 71 + (* Property 5: Truncated input at various points *) 72 + let test_truncated_input prefix_len = 73 + let len = min prefix_len 200 in 74 + if len > 0 then ( 75 + let data = Bytes.make len '\x00' in 76 + (* Set magic if long enough *) 77 + if len >= 4 then begin 78 + Bytes.set data 0 '\x68'; 79 + Bytes.set data 1 '\x73'; 80 + Bytes.set data 2 '\x71'; 81 + Bytes.set data 3 '\x73' 82 + end; 83 + match Squashfs.of_string (Bytes.to_string data) with 84 + | Ok _ -> () 85 + | Error _ -> ()) 86 + 27 87 let () = 28 88 add_test ~name:"squashfs: no crash on arbitrary input" [ bytes ] test_no_crash; 29 89 add_test ~name:"squashfs: handle corrupted data after magic" [ bytes ] 30 - test_corrupted_after_magic 90 + test_corrupted_after_magic; 91 + add_test ~name:"squashfs: crafted superblock values" 92 + [ range 0x200000; range 0xffff; range 0xffff ] 93 + test_crafted_superblock; 94 + add_test ~name:"squashfs: symlink traversal detection" [ bytes ] 95 + test_symlink_traversal; 96 + add_test ~name:"squashfs: truncated input" [ range 300 ] test_truncated_input

+183 -98

lib/squashfs.ml

··· 7 7 let magic = 0x73717368l (* "hsqs" little-endian *) 8 8 let superblock_size = 96 9 9 10 + (* Security limits *) 11 + let max_block_size = 1024 * 1024 (* 1MB - SquashFS spec maximum *) 12 + let max_file_read_size = 100 * 1024 * 1024 (* 100MB default limit *) 13 + let max_symlink_target_size = 4096 (* PATH_MAX on most systems *) 14 + 15 + (* Security helpers *) 16 + 17 + let check_bounds ~data_len ~offset ~size name = 18 + if offset < 0 || offset + size > data_len then 19 + Error (Printf.sprintf "%s out of bounds" name) 20 + else Ok () 21 + 22 + let is_path_traversal target = 23 + let has_dotdot = 24 + String.split_on_char '/' target |> List.exists (fun s -> s = "..") 25 + in 26 + let is_absolute = String.length target > 0 && target.[0] = '/' in 27 + has_dotdot || is_absolute 28 + 10 29 (* Compression types *) 11 30 type compression = Gzip | Lzma | Lzo | Xz | Lz4 | Zstd 12 31 ··· 226 245 match compression_of_int compression_id with 227 246 | Error e -> Error e 228 247 | Ok compression -> 229 - Ok 230 - { 231 - inode_count = get_u32_le data 4; 232 - modification_time = get_u32_le data 8; 233 - block_size = get_u32_le data 12; 234 - fragment_entry_count = get_u32_le data 16; 235 - compression; 236 - block_log = get_u16_le data 22; 237 - flags = get_u16_le data 24; 238 - id_count = get_u16_le data 26; 239 - version_major = get_u16_le data 28; 240 - version_minor = get_u16_le data 30; 241 - root_inode_ref = get_u64_le data 32; 242 - bytes_used = get_u64_le data 40; 243 - } 248 + let block_size = get_u32_le data 12 in 249 + (* Security: validate block_size to prevent decompression bombs *) 250 + if block_size <= 0 || block_size > max_block_size then 251 + Error 252 + (Printf.sprintf "invalid block_size %d (must be 1-%d)" block_size 253 + max_block_size) 254 + else 255 + Ok 256 + { 257 + inode_count = get_u32_le data 4; 258 + modification_time = get_u32_le data 8; 259 + block_size; 260 + fragment_entry_count = get_u32_le data 16; 261 + compression; 262 + block_log = get_u16_le data 22; 263 + flags = get_u16_le data 24; 264 + id_count = get_u16_le data 26; 265 + version_major = get_u16_le data 28; 266 + version_minor = get_u16_le data 30; 267 + root_inode_ref = get_u64_le data 32; 268 + bytes_used = get_u64_le data 40; 269 + } 244 270 245 271 (* Parse an inode from metadata *) 246 272 let parse_inode _t data offset = ··· 250 276 let inode_type_raw = type_and_mode land 0xf in 251 277 match file_type_of_int inode_type_raw with 252 278 | Error e -> Error e 253 - | Ok inode_type -> 254 - let mode = get_u16_le data (offset + 2) in 255 - let uid_idx = get_u16_le data (offset + 4) in 256 - let gid_idx = get_u16_le data (offset + 6) in 257 - let mtime = get_u32_le data (offset + 8) in 258 - let inode_number = get_u32_le data (offset + 12) in 259 - let inode_data, _next_offset = 260 - match inode_type with 261 - | Directory -> 262 - let start_block = get_u32_le data (offset + 16) in 263 - let nlink = get_u32_le data (offset + 20) in 264 - let file_size = get_u16_le data (offset + 24) in 265 - let off = get_u16_le data (offset + 26) in 266 - let parent = get_u32_le data (offset + 28) in 267 - ( Inode_dir 268 - { 269 - start_block; 270 - nlink; 271 - file_size = file_size + 3; 272 - (* size includes . and .. *) 273 - offset = off; 274 - parent_inode = parent; 275 - }, 276 - offset + 32 ) 277 - | Regular -> 278 - let start_block = Int64.of_int (get_u32_le data (offset + 16)) in 279 - let fragment = get_i32_le data (offset + 20) in 280 - let off = get_u32_le data (offset + 24) in 281 - let file_size = Int64.of_int (get_u32_le data (offset + 28)) in 282 - ( Inode_file 283 - { 284 - start_block; 285 - fragment; 286 - offset = off; 287 - file_size; 288 - block_sizes = [||]; 289 - (* TODO: parse block list *) 290 - }, 291 - offset + 32 ) 292 - | Symlink -> 293 - let nlink = get_u32_le data (offset + 16) in 294 - let target_size = get_u32_le data (offset + 20) in 295 - let target = String.sub data (offset + 24) target_size in 296 - (Inode_symlink { nlink; target }, offset + 24 + target_size) 297 - | Block_device | Char_device -> 298 - let nlink = get_u32_le data (offset + 16) in 299 - let rdev = get_u32_le data (offset + 20) in 300 - (Inode_device { nlink; rdev }, offset + 24) 301 - | Fifo | Socket -> 302 - let nlink = get_u32_le data (offset + 16) in 303 - (Inode_ipc { nlink }, offset + 20) 304 - in 305 - Ok 306 - { 307 - inode_type; 308 - mode = mode land 0o7777; 309 - uid_idx; 310 - gid_idx; 311 - mtime; 312 - inode_number; 313 - inode_data; 314 - } 279 + | Ok inode_type -> ( 280 + try 281 + let mode = get_u16_le data (offset + 2) in 282 + let uid_idx = get_u16_le data (offset + 4) in 283 + let gid_idx = get_u16_le data (offset + 6) in 284 + let mtime = get_u32_le data (offset + 8) in 285 + let inode_number = get_u32_le data (offset + 12) in 286 + let inode_data, _next_offset = 287 + match inode_type with 288 + | Directory -> 289 + (* Security: bounds check for directory inode fields *) 290 + if offset + 32 > String.length data then 291 + failwith "directory inode truncated"; 292 + let start_block = get_u32_le data (offset + 16) in 293 + let nlink = get_u32_le data (offset + 20) in 294 + let file_size = get_u16_le data (offset + 24) in 295 + let off = get_u16_le data (offset + 26) in 296 + let parent = get_u32_le data (offset + 28) in 297 + ( Inode_dir 298 + { 299 + start_block; 300 + nlink; 301 + file_size = file_size + 3; 302 + (* size includes . and .. *) 303 + offset = off; 304 + parent_inode = parent; 305 + }, 306 + offset + 32 ) 307 + | Regular -> 308 + (* Security: bounds check for regular file inode fields *) 309 + if offset + 32 > String.length data then 310 + failwith "regular file inode truncated"; 311 + let start_block = 312 + Int64.of_int (get_u32_le data (offset + 16)) 313 + in 314 + let fragment = get_i32_le data (offset + 20) in 315 + let off = get_u32_le data (offset + 24) in 316 + let file_size = Int64.of_int (get_u32_le data (offset + 28)) in 317 + ( Inode_file 318 + { 319 + start_block; 320 + fragment; 321 + offset = off; 322 + file_size; 323 + block_sizes = [||]; 324 + (* TODO: parse block list *) 325 + }, 326 + offset + 32 ) 327 + | Symlink -> 328 + (* Security: bounds check for symlink inode header *) 329 + if offset + 24 > String.length data then 330 + failwith "symlink inode truncated"; 331 + let nlink = get_u32_le data (offset + 16) in 332 + let target_size = get_u32_le data (offset + 20) in 333 + (* Security: validate symlink target size *) 334 + if target_size > max_symlink_target_size then 335 + failwith 336 + (Printf.sprintf "symlink target too large: %d" target_size) 337 + else if offset + 24 + target_size > String.length data then 338 + failwith "symlink target extends beyond data" 339 + else 340 + let target = String.sub data (offset + 24) target_size in 341 + (Inode_symlink { nlink; target }, offset + 24 + target_size) 342 + | Block_device | Char_device -> 343 + (* Security: bounds check for device inode fields *) 344 + if offset + 24 > String.length data then 345 + failwith "device inode truncated"; 346 + let nlink = get_u32_le data (offset + 16) in 347 + let rdev = get_u32_le data (offset + 20) in 348 + (Inode_device { nlink; rdev }, offset + 24) 349 + | Fifo | Socket -> 350 + (* Security: bounds check for IPC inode fields *) 351 + if offset + 20 > String.length data then 352 + failwith "IPC inode truncated"; 353 + let nlink = get_u32_le data (offset + 16) in 354 + (Inode_ipc { nlink }, offset + 20) 355 + in 356 + Ok 357 + { 358 + inode_type; 359 + mode = mode land 0o7777; 360 + uid_idx; 361 + gid_idx; 362 + mtime; 363 + inode_number; 364 + inode_data; 365 + } 366 + with Failure msg -> Error msg) 315 367 316 368 (* Read the ID table *) 369 + 370 + let read_id_table_block data ~data_len ~block_offset ~count = 371 + match 372 + check_bounds ~data_len ~offset:block_offset ~size:2 "ID table block" 373 + with 374 + | Error e -> Error e 375 + | Ok () -> ( 376 + let header = get_u16_le data block_offset in 377 + let compressed = header land 0x8000 = 0 in 378 + let size = header land 0x7fff in 379 + if compressed then Error "compressed ID table not yet supported" 380 + else 381 + match 382 + check_bounds ~data_len ~offset:(block_offset + 2) ~size 383 + "ID table data" 384 + with 385 + | Error e -> Error e 386 + | Ok () -> 387 + let table = Array.make count 0 in 388 + for i = 0 to min count (size / 4) - 1 do 389 + table.(i) <- get_u32_le data (block_offset + 2 + (i * 4)) 390 + done; 391 + Ok table) 392 + 317 393 let read_id_table data sb = 318 - let id_table_start = get_u64_le data 48 in 394 + let data_len = String.length data in 319 395 let count = sb.id_count in 320 396 if count = 0 then Ok [||] 397 + else if count > 65536 then Error "id_count exceeds maximum (65536)" 321 398 else 322 - (* ID table is an array of block pointers, each block contains IDs *) 323 - let table = Array.make count 0 in 324 - let block_ptr_offset = Int64.to_int id_table_start in 325 - (* Read first block pointer *) 326 - let block_offset = Int64.to_int (get_u64_le data block_ptr_offset) in 327 - (* Read the block header *) 328 - let header = get_u16_le data block_offset in 329 - let compressed = header land 0x8000 = 0 in 330 - let size = header land 0x7fff in 331 - if compressed then 332 - (* For now, just read uncompressed *) 333 - Error "compressed ID table not yet supported" 334 - else begin 335 - for i = 0 to min count (size / 4) - 1 do 336 - table.(i) <- get_u32_le data (block_offset + 2 + (i * 4)) 337 - done; 338 - Ok table 339 - end 399 + let block_ptr_offset = Int64.to_int (get_u64_le data 48) in 400 + match 401 + check_bounds ~data_len ~offset:block_ptr_offset ~size:8 "ID table pointer" 402 + with 403 + | Error e -> Error e 404 + | Ok () -> 405 + let block_offset = Int64.to_int (get_u64_le data block_ptr_offset) in 406 + read_id_table_block data ~data_len ~block_offset ~count 340 407 341 408 (* Read root inode *) 342 409 let read_root_inode t = ··· 526 593 go t.root_inode components 527 594 528 595 (* File reading *) 529 - let read_file t inode = 596 + let read_file ?(max_size = max_file_read_size) t inode = 530 597 match inode.inode_data with 531 598 | Inode_file { start_block; file_size; fragment; offset; _ } -> 532 - if fragment >= 0 then 599 + (* Security: enforce file size limit to prevent memory exhaustion *) 600 + if Int64.compare file_size (Int64.of_int max_size) > 0 then 601 + Error 602 + (Printf.sprintf "file too large: %Ld bytes (max %d)" file_size 603 + max_size) 604 + else if fragment >= 0 then 533 605 (* File is in fragment *) 534 606 Error "fragment reading not yet implemented" 535 607 else if file_size = 0L then Ok "" ··· 565 637 match inode.inode_data with 566 638 | Inode_symlink { target; _ } -> Ok target 567 639 | _ -> Error "not a symbolic link" 640 + 641 + let safe_read_link _t inode = 642 + match inode.inode_data with 643 + | Inode_symlink { target; _ } -> 644 + (* Security: check for path traversal attempts *) 645 + if is_path_traversal target then 646 + Error 647 + (Printf.sprintf "symlink target contains path traversal: %s" target) 648 + else Ok target 649 + | _ -> Error "not a symbolic link" 650 + 651 + let is_device inode = 652 + match inode.inode_type with Block_device | Char_device -> true | _ -> false 568 653 569 654 (* Extended attributes *) 570 655 let has_xattrs t = t.xattr_table_start <> 0xffffffffffffffffL

+52 -4

lib/squashfs.mli

··· 13 13 14 14 This library provides read-only access to SquashFS images. 15 15 16 + {2 Security Considerations} 17 + 18 + {b Important}: SquashFS images from untrusted sources can be malicious. This 19 + library implements the following security measures: 20 + 21 + - {b Block size validation}: Rejects block sizes > 1MB to prevent 22 + decompression bombs 23 + - {b Bounds checking}: All reads are bounds-checked to prevent crashes 24 + - {b Symlink validation}: Use {!safe_read_link} to detect path traversal 25 + - {b File size limits}: {!read_file} has a configurable size limit (default 26 + 100MB) 27 + - {b Device node detection}: Use {!is_device} to identify device nodes 28 + before extraction 29 + 30 + When extracting files to disk, always: 31 + - Use {!safe_read_link} instead of {!read_link} 32 + - Check {!is_device} and skip device nodes unless explicitly needed 33 + - Validate paths don't escape the target directory 34 + - Consider file permissions (see {!inode_mode}) 35 + 16 36 {2 References} 17 37 18 38 - {{:https://dr-emann.github.io/squashfs/} SquashFS specification} ··· 121 141 122 142 (** {1 File Operations} *) 123 143 124 - val read_file : t -> inode -> (string, string) result 125 - (** [read_file t inode] reads the entire contents of a regular file. Returns 126 - [Error] if [inode] is not a regular file. *) 144 + val read_file : ?max_size:int -> t -> inode -> (string, string) result 145 + (** [read_file ?max_size t inode] reads the entire contents of a regular file. 146 + Returns [Error] if [inode] is not a regular file, or if the file exceeds 147 + [max_size] (default 100MB). 148 + 149 + {b Security}: The size limit prevents memory exhaustion attacks from 150 + malicious images claiming enormous file sizes. *) 127 151 128 152 val read_link : t -> inode -> (string, string) result 129 153 (** [read_link t inode] reads the target of a symbolic link. Returns [Error] if 130 - [inode] is not a symlink. *) 154 + [inode] is not a symlink. 155 + 156 + {b Warning}: This returns the raw symlink target without validation. Use 157 + {!safe_read_link} when extracting files to disk. *) 158 + 159 + val safe_read_link : t -> inode -> (string, string) result 160 + (** [safe_read_link t inode] reads the target of a symbolic link with security 161 + validation. Returns [Error] if: 162 + - [inode] is not a symlink 163 + - The target contains path traversal ([..] components) 164 + - The target is an absolute path 165 + 166 + Use this instead of {!read_link} when extracting files to disk. *) 167 + 168 + val is_path_traversal : string -> bool 169 + (** [is_path_traversal target] returns [true] if the symlink target contains 170 + path traversal attempts (absolute paths or [..] components). *) 131 171 132 172 (** {1 Device Operations} *) 173 + 174 + val is_device : inode -> bool 175 + (** [is_device inode] returns [true] if the inode is a block or character 176 + device. Use this to skip device nodes when extracting files to disk. 177 + 178 + {b Security}: Creating device nodes from untrusted sources can be dangerous. 179 + Most extraction tools should skip device nodes unless explicitly requested. 180 + *) 133 181 134 182 val device_major : inode -> int 135 183 (** [device_major inode] returns the major device number. Only valid for

+190

test/test_squashfs.ml

··· 41 41 Format.pp_print_flush ppf (); 42 42 Alcotest.(check string) "directory" "directory" (Buffer.contents buf) 43 43 44 + (* Security tests - based on CVE research in equivalent implementations 45 + 46 + References: 47 + - CVE-2015-4645: Integer overflow in read_fragment_table_4 48 + - CVE-2015-4646: DoS via crafted input in unsquash 49 + - CVE-2012-4025: Integer overflow in queue_init() leading to heap overflow 50 + - CVE-2021-40153: Directory traversal via symbolic link 51 + - U-Boot squashfs: Heap overflow in metadata reading 52 + 53 + See: https://www.cvedetails.com/vulnerability-list/vendor_id-16355/Squashfs-Project.html 54 + *) 55 + 56 + (* Test: path traversal detection - CVE-2021-40153 related *) 57 + let test_path_traversal_dotdot () = 58 + Alcotest.(check bool) 59 + "../etc/passwd is traversal" true 60 + (Squashfs.is_path_traversal "../etc/passwd") 61 + 62 + let test_path_traversal_absolute () = 63 + Alcotest.(check bool) 64 + "/etc/passwd is traversal" true 65 + (Squashfs.is_path_traversal "/etc/passwd") 66 + 67 + let test_path_traversal_middle () = 68 + Alcotest.(check bool) 69 + "foo/../bar is traversal" true 70 + (Squashfs.is_path_traversal "foo/../bar") 71 + 72 + let test_path_traversal_safe () = 73 + Alcotest.(check bool) 74 + "foo/bar is safe" false 75 + (Squashfs.is_path_traversal "foo/bar") 76 + 77 + let test_path_traversal_relative () = 78 + Alcotest.(check bool) 79 + "./foo is safe" false 80 + (Squashfs.is_path_traversal "./foo") 81 + 82 + (* Test: block_size validation - CVE-2012-4025 related 83 + Integer overflow in queue_init via crafted block_log field *) 84 + let test_reject_large_block_size () = 85 + let data = Bytes.make 100 '\x00' in 86 + (* Magic: "hsqs" little-endian = 0x73717368 *) 87 + Bytes.set data 0 '\x68'; 88 + Bytes.set data 1 '\x73'; 89 + Bytes.set data 2 '\x71'; 90 + Bytes.set data 3 '\x73'; 91 + (* block_size at offset 12: 2MB = 0x200000 (> 1MB limit) *) 92 + Bytes.set data 12 '\x00'; 93 + Bytes.set data 13 '\x00'; 94 + Bytes.set data 14 '\x20'; 95 + Bytes.set data 15 '\x00'; 96 + (* compression at offset 20: gzip = 1 *) 97 + Bytes.set data 20 '\x01'; 98 + Bytes.set data 21 '\x00'; 99 + (* version at offset 28-31: 4.0 *) 100 + Bytes.set data 28 '\x04'; 101 + Bytes.set data 29 '\x00'; 102 + Bytes.set data 30 '\x00'; 103 + Bytes.set data 31 '\x00'; 104 + match Squashfs.of_string (Bytes.to_string data) with 105 + | Error _ -> () (* Any error is acceptable *) 106 + | Ok _ -> Alcotest.fail "should reject large block_size" 107 + 108 + (* Test: zero block_size - CVE-2012-4025 variant 109 + Zero or negative sizes can cause division by zero or overflow *) 110 + let test_reject_zero_block_size () = 111 + let data = Bytes.make 100 '\x00' in 112 + Bytes.set data 0 '\x68'; 113 + Bytes.set data 1 '\x73'; 114 + Bytes.set data 2 '\x71'; 115 + Bytes.set data 3 '\x73'; 116 + (* block_size = 0 *) 117 + Bytes.set data 20 '\x01'; 118 + Bytes.set data 21 '\x00'; 119 + Bytes.set data 28 '\x04'; 120 + Bytes.set data 29 '\x00'; 121 + match Squashfs.of_string (Bytes.to_string data) with 122 + | Error _ -> () 123 + | Ok _ -> Alcotest.fail "should reject zero block_size" 124 + 125 + (* Test: crafted inode_count - integer overflow potential *) 126 + let test_huge_inode_count () = 127 + let data = Bytes.make 100 '\x00' in 128 + Bytes.set data 0 '\x68'; 129 + Bytes.set data 1 '\x73'; 130 + Bytes.set data 2 '\x71'; 131 + Bytes.set data 3 '\x73'; 132 + (* inode_count at offset 4: max u32 *) 133 + Bytes.set data 4 '\xff'; 134 + Bytes.set data 5 '\xff'; 135 + Bytes.set data 6 '\xff'; 136 + Bytes.set data 7 '\xff'; 137 + (* valid block_size: 131072 (0x20000) *) 138 + Bytes.set data 12 '\x00'; 139 + Bytes.set data 13 '\x00'; 140 + Bytes.set data 14 '\x02'; 141 + Bytes.set data 15 '\x00'; 142 + Bytes.set data 20 '\x01'; 143 + Bytes.set data 21 '\x00'; 144 + Bytes.set data 28 '\x04'; 145 + Bytes.set data 29 '\x00'; 146 + match Squashfs.of_string (Bytes.to_string data) with 147 + | Error _ -> () 148 + | Ok _ -> () (* May succeed at parse, fail later - that's ok *) 149 + 150 + (* Test: id_count overflow - CVE-2015-4645 related 151 + Large id_count can cause allocation overflow *) 152 + let test_huge_id_count () = 153 + let data = Bytes.make 100 '\x00' in 154 + Bytes.set data 0 '\x68'; 155 + Bytes.set data 1 '\x73'; 156 + Bytes.set data 2 '\x71'; 157 + Bytes.set data 3 '\x73'; 158 + (* valid block_size *) 159 + Bytes.set data 12 '\x00'; 160 + Bytes.set data 13 '\x00'; 161 + Bytes.set data 14 '\x02'; 162 + Bytes.set data 15 '\x00'; 163 + Bytes.set data 20 '\x01'; 164 + Bytes.set data 21 '\x00'; 165 + (* id_count at offset 26: max u16 = 65535 *) 166 + Bytes.set data 26 '\xff'; 167 + Bytes.set data 27 '\xff'; 168 + Bytes.set data 28 '\x04'; 169 + Bytes.set data 29 '\x00'; 170 + match Squashfs.of_string (Bytes.to_string data) with 171 + | Error _ -> () (* Should be rejected - exceeds 65536 limit *) 172 + | Ok _ -> Alcotest.fail "should reject huge id_count" 173 + 174 + (* Test: truncated metadata - U-Boot CVE related 175 + Metadata block header claims size beyond image boundary *) 176 + let test_metadata_beyond_image () = 177 + let data = Bytes.make 100 '\x00' in 178 + Bytes.set data 0 '\x68'; 179 + Bytes.set data 1 '\x73'; 180 + Bytes.set data 2 '\x71'; 181 + Bytes.set data 3 '\x73'; 182 + Bytes.set data 12 '\x00'; 183 + Bytes.set data 13 '\x00'; 184 + Bytes.set data 14 '\x02'; 185 + Bytes.set data 15 '\x00'; 186 + Bytes.set data 20 '\x01'; 187 + Bytes.set data 21 '\x00'; 188 + Bytes.set data 28 '\x04'; 189 + Bytes.set data 29 '\x00'; 190 + (* id_table_start points beyond data *) 191 + Bytes.set data 48 '\xff'; 192 + Bytes.set data 49 '\xff'; 193 + match Squashfs.of_string (Bytes.to_string data) with 194 + | Error _ -> () 195 + | Ok _ -> () (* May succeed parsing, fail on access *) 196 + 197 + (* Test: empty input *) 198 + let test_empty_input () = 199 + match Squashfs.of_string "" with 200 + | Error _ -> () 201 + | Ok _ -> Alcotest.fail "should reject empty input" 202 + 203 + (* Test: minimum valid size *) 204 + let test_minimum_size () = 205 + (* Exactly superblock size but all zeros - should fail magic check *) 206 + let data = String.make 96 '\x00' in 207 + match Squashfs.of_string data with 208 + | Error _ -> () 209 + | Ok _ -> Alcotest.fail "should reject all-zeros superblock" 210 + 44 211 let suite = 45 212 [ 46 213 ( "errors", ··· 52 219 [ 53 220 Alcotest.test_case "compression" `Quick test_pp_compression; 54 221 Alcotest.test_case "file_type" `Quick test_pp_file_type; 222 + ] ); 223 + ( "security", 224 + [ 225 + Alcotest.test_case "path traversal: .." `Quick 226 + test_path_traversal_dotdot; 227 + Alcotest.test_case "path traversal: absolute" `Quick 228 + test_path_traversal_absolute; 229 + Alcotest.test_case "path traversal: middle" `Quick 230 + test_path_traversal_middle; 231 + Alcotest.test_case "path traversal: safe" `Quick 232 + test_path_traversal_safe; 233 + Alcotest.test_case "path traversal: relative" `Quick 234 + test_path_traversal_relative; 235 + Alcotest.test_case "reject large block_size" `Quick 236 + test_reject_large_block_size; 237 + Alcotest.test_case "reject zero block_size" `Quick 238 + test_reject_zero_block_size; 239 + Alcotest.test_case "huge inode_count" `Quick test_huge_inode_count; 240 + Alcotest.test_case "huge id_count" `Quick test_huge_id_count; 241 + Alcotest.test_case "metadata beyond image" `Quick 242 + test_metadata_beyond_image; 243 + Alcotest.test_case "empty input" `Quick test_empty_input; 244 + Alcotest.test_case "minimum size" `Quick test_minimum_size; 55 245 ] ); 56 246 ]

Configure Feed

Configure Feed