2 CVE-2024-57257

A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting.
https://nvd.nist.gov/vuln/detail/CVE-2024-57257

Categories

CWE-674 : Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. Increase the stack size. Deeply nested arrays trigger stack exhaustion. Self-referencing pointers create infinite loop and resultant stack exhaustion. Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition. An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition. USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.

References

cve@mitre.org

https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d9...
https://www.openwall.com/lists/oss-security/2025/02/17/2

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
230	Serialized Data with Nested Payloads Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side. An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.	High
231	Oversized Serialized Data Payloads An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution. An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side. An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.	High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer