packages/uboot-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
uboot-tools/backport-0003-CVE-2021-27097.patch

119 lines
3.6 KiB
Diff
Raw Normal View History

fix CVE-2021-27097 CVE-2021-27138
2021-03-16 20:44:51 +08:00
From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001
From: Simon Glass <sjg@chromium.org>
Date: Mon, 15 Feb 2021 17:08:10 -0700
Subject: [PATCH] image: Add an option to do a full check of the FIT
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.
Enable this by default if signature verification is enabled.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
---
Kconfig | 19 +++++++++++++++++++
common/image-fit.c | 18 +++++++++++++++++-
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/Kconfig b/Kconfig
index 8f3fba08..11b480f6 100644
--- a/Kconfig
+++ b/Kconfig
@@ -365,6 +365,15 @@ config FIT_ENABLE_SHA256_SUPPORT
SHA256 variant is supported: SHA512 and others are not currently
supported in U-Boot.
+config FIT_FULL_CHECK
+ bool "Do a full check of the FIT before using it"
+ default y
+ help
+ Enable this do a full check of the FIT to make sure it is valid. This
+ helps to protect against carefully crafted FITs which take advantage
+ of bugs or omissions in the code. This includes a bad structure,
+ multiple root nodes and the like.
+
config FIT_SIGNATURE
bool "Enable signature verification of FIT uImages"
depends on DM
@@ -372,6 +381,7 @@ config FIT_SIGNATURE
select RSA
select RSA_VERIFY
select IMAGE_SIGN_INFO
+ select FIT_FULL_CHECK
help
This option enables signature verification of FIT uImages,
using a hash signed and verified using RSA. If
@@ -455,6 +465,14 @@ config SPL_FIT_PRINT
help
Support printing the content of the fitImage in a verbose manner in SPL.
+config SPL_FIT_FULL_CHECK
+ bool "Do a full check of the FIT before using it"
+ help
+ Enable this do a full check of the FIT to make sure it is valid. This
+ helps to protect against carefully crafted FITs which take advantage
+ of bugs or omissions in the code. This includes a bad structure,
+ multiple root nodes and the like.
+
config SPL_FIT_SIGNATURE
bool "Enable signature verification of FIT firmware within SPL"
depends on SPL_DM
@@ -462,6 +480,7 @@ config SPL_FIT_SIGNATURE
select SPL_RSA
select SPL_RSA_VERIFY
select SPL_IMAGE_SIGN_INFO
+ select SPL_FIT_FULL_CHECK
config SPL_LOAD_FIT
bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
diff --git a/common/image-fit.c b/common/image-fit.c
index 470321c5..e49baea7 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -17,7 +17,6 @@
#include <u-boot/crc.h>
#else
#include <linux/compiler.h>
-#include <linux/kconfig.h>
#include <common.h>
#include <errno.h>
#include <log.h>
@@ -29,6 +28,7 @@ DECLARE_GLOBAL_DATA_PTR;
#include <bootm.h>
#include <image.h>
+#include <linux/kconfig.h>
#include <bootstage.h>
#include <u-boot/crc.h>
#include <u-boot/md5.h>
@@ -1547,6 +1547,22 @@ int fit_check_format(const void *fit, ulong size)
return -ENOEXEC;
}
+ if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
+ /*
+ * If we are not given the size, make do wtih calculating it.
+ * This is not as secure, so we should consider a flag to
+ * control this.
+ */
+ if (size == IMAGE_SIZE_INVAL)
+ size = fdt_totalsize(fit);
+ ret = fdt_check_full(fit, size);
+
+ if (ret) {
+ log_debug("FIT check error %d\n", ret);
+ return -EINVAL;
+ }
+ }
+
/* mandatory / node 'description' property */
if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
log_debug("Wrong FIT format: no description\n");
--
2.23.0
Reference in New Issue Copy Permalink