[Buildroot] Talos security vulnerabilities TALOS-2023-1844 / TALOS-2023-1845
Kilian Zinnecker
kilian.zinnecker at mail.de
Sun Dec 10 23:53:11 UTC 2023
Hello Peter, all,
as far as I see it, most package within buildroot have hash files. So, would it
make sense, that we use the new feature and actually add hash files, if a board
uses a custom versions of the kernel, uboot, etc.? If so, it would not be very
convenient to add all the hash files manually. I started writing a script,
which goes through all defconfigs an tries to identify, whether the defconfig
uses a custom kernel, uboot, or ATF. If so, and if there exists a
BR2_GLOBAL_PATCH_DIR in the defconfig, the script runs your "add-custom-hashes"
script, which then adds the hash files. My script is far from perfect. But I
wanted to ask for an opinion, before I continue putting more effort into it.
Running the script for all defconfigs would take quite some time and probably
use a huge amount of disk space. See a patch containing the script below. (I
don't advocate for really adding the script to buildroot, the patch is just a
way to share the script.)
------
>From af10775dbee7d8e785cb71e4492a89f1412fe997 Mon Sep 17 00:00:00 2001
From: Kilian Zinnecker <kilian.zinnecker at mail.de>
Date: Mon, 11 Dec 2023 00:34:53 +0100
Subject: [PATCH 1/1] Add script w. generates custom version hash files
Signed-off-by: Kilian Zinnecker <kilian.zinnecker at mail.de>
---
utils/generate-custom-version-hash-files.sh | 58 +++++++++++++++++++++
1 file changed, 58 insertions(+)
create mode 100755 utils/generate-custom-version-hash-files.sh
diff --git a/utils/generate-custom-version-hash-files.sh b/utils/generate-
custom-version-hash-files.sh
new file mode 100755
index 0000000000..c5f10db616
--- /dev/null
+++ b/utils/generate-custom-version-hash-files.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# This script checks all defconfigs for custom kernel, u-boot and ATF and
tries
+# to add a hash file into the BR2_GLOBAL_PATCH_DIR, if it is set.
+
+configs_dir=./configs
+
+if [ -z ${1+x} ]
+then
+ defconfig_start="!"
+else
+ defconfig_start=$1
+fi
+
+cd ..
+
+for defconfig_path in "$configs_dir"/*
+do
+ if [[ "$defconfig_path" != *_defconfig ]]
+ then
+ continue
+ fi
+
+ defconfig_filename="$(basename -- $defconfig_path)"
+ defconfig_name=${defconfig_filename%_*}
+
+ if [ $defconfig_filename \< $defconfig_start ]
+ then
+ continue
+ fi
+
+ if ! grep -Eq "^BR2_LINUX_KERNEL_CUSTOM_VERSION=y*$|
^BR2_LINUX_KERNEL_CUSTOM_TARBALL=y*$|^BR2_TARGET_UBOOT_CUSTOM_VERSION=y*$|
^BR2_TARGET_UBOOT_CUSTOM_TARBALL=y*$|
^BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION=y*$|
^BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_TARBALL=y" \
+ $defconfig_path
+ then
+ echo $defconfig_name > last_defconfig
+ continue
+ fi
+
+ if ! grep -Eq "^BR2_GLOBAL_PATCH_DIR" $defconfig_path
+ then
+ echo $defconfig_name >> unhandled_defconfigs
+ echo $defconfig_name > last_defconfig
+ continue
+ fi
+
+ if ! grep -Exq "^BR2_DOWNLOAD_FORCE_CHECK_HASHES=y" $defconfig_path
+ then
+ echo "BR2_DOWNLOAD_FORCE_CHECK_HASHES=y" >> $defconfig_path
+ fi
+
+ make clean
+ make $defconfig_filename
+ ./utils/add-custom-hashes
+
+ echo $defconfig_name >> handled_defconfigs
+ echo $defconfig_name > last_defconfig
+
+done
--
2.25.1
More information about the buildroot
mailing list