diff options
Diffstat (limited to 'poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch')
-rw-r--r-- | poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch b/poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch new file mode 100644 index 0000000000..86f7e8ce55 --- /dev/null +++ b/poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch @@ -0,0 +1,105 @@ +From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001 +From: Simon Glass <sjg@chromium.org> +Date: Mon, 15 Feb 2021 17:08:10 -0700 +Subject: [PATCH] image: Add an option to do a full check of the FIT + +Some strange modifications of the FIT can introduce security risks. Add an +option to check it thoroughly, using libfdt's fdt_check_full() function. + +Enable this by default if signature verification is enabled. + +CVE-2021-27097 + +Signed-off-by: Simon Glass <sjg@chromium.org> +Reported-by: Bruce Monroe <bruce.monroe@intel.com> +Reported-by: Arie Haenel <arie.haenel@intel.com> +Reported-by: Julien Lenoir <julien.lenoir@intel.com> + +CVE: CVE-2021-27097 +Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01] +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +--- + common/Kconfig.boot | 20 ++++++++++++++++++++ + common/image-fit.c | 16 ++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/common/Kconfig.boot b/common/Kconfig.boot +index 5eaabdfc27..7532e55edb 100644 +--- a/common/Kconfig.boot ++++ b/common/Kconfig.boot +@@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT + SHA512 checksum is a 512-bit (64-byte) hash value used to check that + the image contents have not been corrupted. + ++config FIT_FULL_CHECK ++ bool "Do a full check of the FIT before using it" ++ default y ++ help ++ Enable this do a full check of the FIT to make sure it is valid. This ++ helps to protect against carefully crafted FITs which take advantage ++ of bugs or omissions in the code. This includes a bad structure, ++ multiple root nodes and the like. ++ + config FIT_SIGNATURE + bool "Enable signature verification of FIT uImages" + depends on DM +@@ -70,6 +79,7 @@ config FIT_SIGNATURE + select RSA + select RSA_VERIFY + select IMAGE_SIGN_INFO ++ select FIT_FULL_CHECK + help + This option enables signature verification of FIT uImages, + using a hash signed and verified using RSA. If +@@ -159,6 +169,15 @@ config SPL_FIT_PRINT + help + Support printing the content of the fitImage in a verbose manner in SPL. + ++config SPL_FIT_FULL_CHECK ++ bool "Do a full check of the FIT before using it" ++ help ++ Enable this do a full check of the FIT to make sure it is valid. This ++ helps to protect against carefully crafted FITs which take advantage ++ of bugs or omissions in the code. This includes a bad structure, ++ multiple root nodes and the like. ++ ++ + config SPL_FIT_SIGNATURE + bool "Enable signature verification of FIT firmware within SPL" + depends on SPL_DM +@@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE + select SPL_RSA + select SPL_RSA_VERIFY + select SPL_IMAGE_SIGN_INFO ++ select SPL_FIT_FULL_CHECK + + config SPL_LOAD_FIT + bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" +diff --git a/common/image-fit.c b/common/image-fit.c +index f6c0428a96..bcf395f6a1 100644 +--- a/common/image-fit.c ++++ b/common/image-fit.c +@@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size) + return -ENOEXEC; + } + ++ if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) { ++ /* ++ * If we are not given the size, make do wtih calculating it. ++ * This is not as secure, so we should consider a flag to ++ * control this. ++ */ ++ if (size == IMAGE_SIZE_INVAL) ++ size = fdt_totalsize(fit); ++ ret = fdt_check_full(fit, size); ++ ++ if (ret) { ++ log_debug("FIT check error %d\n", ret); ++ return -EINVAL; ++ } ++ } ++ + /* mandatory / node 'description' property */ + if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { + log_debug("Wrong FIT format: no description\n"); |