diff options
| author | Simon Glass <sjg@chromium.org> | 2021-02-16 03:08:09 +0300 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2021-02-16 06:31:52 +0300 |
| commit | c5819701a3de61e2ba2ef7ad0b616565b32305e5 (patch) | |
| tree | 2d78afc29b784d5477102dabfc94215781126ae0 /common | |
| parent | d5f3aadacbc63df3b690d6fd9f0aa3f575b43356 (diff) | |
| download | u-boot-c5819701a3de61e2ba2ef7ad0b616565b32305e5.tar.xz | |
image: Adjust the workings of fit_check_format()
At present this function does not accept a size for the FIT. This means
that it must be read from the FIT itself, introducing potential security
risk. Update the function to include a size parameter, which can be
invalid, in which case fit_check_format() calculates it.
For now no callers pass the size, but this can be updated later.
Also adjust the return value to an error code so that all the different
types of problems can be distinguished by the user.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Diffstat (limited to 'common')
| -rw-r--r-- | common/image-fdt.c | 2 | ||||
| -rw-r--r-- | common/image-fit.c | 46 | ||||
| -rw-r--r-- | common/splash_source.c | 6 | ||||
| -rw-r--r-- | common/update.c | 4 |
4 files changed, 26 insertions, 32 deletions
diff --git a/common/image-fdt.c b/common/image-fdt.c index 0157cce32d..61ce6e5779 100644 --- a/common/image-fdt.c +++ b/common/image-fdt.c @@ -400,7 +400,7 @@ int boot_get_fdt(int flag, int argc, char *const argv[], uint8_t arch, */ #if CONFIG_IS_ENABLED(FIT) /* check FDT blob vs FIT blob */ - if (fit_check_format(buf)) { + if (!fit_check_format(buf, IMAGE_SIZE_INVAL)) { ulong load, len; fdt_noffset = boot_get_fdt_fit(images, diff --git a/common/image-fit.c b/common/image-fit.c index c3dc814115..f6c0428a96 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -8,6 +8,8 @@ * Wolfgang Denk, DENX Software Engineering, wd@denx.de. */ +#define LOG_CATEGORY LOGC_BOOT + #ifdef USE_HOSTCC #include "mkimage.h" #include <time.h> @@ -1566,49 +1568,41 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp) return (comp == image_comp); } -/** - * fit_check_format - sanity check FIT image format - * @fit: pointer to the FIT format image header - * - * fit_check_format() runs a basic sanity FIT image verification. - * Routine checks for mandatory properties, nodes, etc. - * - * returns: - * 1, on success - * 0, on failure - */ -int fit_check_format(const void *fit) +int fit_check_format(const void *fit, ulong size) { + int ret; + /* A FIT image must be a valid FDT */ - if (fdt_check_header(fit)) { - debug("Wrong FIT format: not a flattened device tree\n"); - return 0; + ret = fdt_check_header(fit); + if (ret) { + log_debug("Wrong FIT format: not a flattened device tree (err=%d)\n", + ret); + return -ENOEXEC; } /* mandatory / node 'description' property */ - if (fdt_getprop(fit, 0, FIT_DESC_PROP, NULL) == NULL) { - debug("Wrong FIT format: no description\n"); - return 0; + if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { + log_debug("Wrong FIT format: no description\n"); + return -ENOMSG; } if (IMAGE_ENABLE_TIMESTAMP) { /* mandatory / node 'timestamp' property */ - if (fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL) == NULL) { - debug("Wrong FIT format: no timestamp\n"); - return 0; + if (!fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL)) { + log_debug("Wrong FIT format: no timestamp\n"); + return -ENODATA; } } /* mandatory subimages parent '/images' node */ if (fdt_path_offset(fit, FIT_IMAGES_PATH) < 0) { - debug("Wrong FIT format: no images parent node\n"); - return 0; + log_debug("Wrong FIT format: no images parent node\n"); + return -ENOENT; } - return 1; + return 0; } - /** * fit_conf_find_compat * @fit: pointer to the FIT format image header @@ -1945,7 +1939,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr, printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr); bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT); - if (!fit_check_format(fit)) { + if (fit_check_format(fit, IMAGE_SIZE_INVAL)) { printf("Bad FIT %s image format!\n", prop_name); bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT); return -ENOEXEC; diff --git a/common/splash_source.c b/common/splash_source.c index 2737fc6e7f..d7f179e3ea 100644 --- a/common/splash_source.c +++ b/common/splash_source.c @@ -337,10 +337,10 @@ static int splash_load_fit(struct splash_location *location, u32 bmp_load_addr) if (res < 0) return res; - res = fit_check_format(fit_header); - if (!res) { + res = fit_check_format(fit_header, IMAGE_SIZE_INVAL); + if (res) { debug("Could not find valid FIT image\n"); - return -EINVAL; + return res; } /* Get the splash image node */ diff --git a/common/update.c b/common/update.c index a5879cb52c..f0848954e5 100644 --- a/common/update.c +++ b/common/update.c @@ -286,7 +286,7 @@ int update_tftp(ulong addr, char *interface, char *devstring) got_update_file: fit = map_sysmem(addr, 0); - if (!fit_check_format((void *)fit)) { + if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) { printf("Bad FIT format of the update file, aborting " "auto-update\n"); return 1; @@ -363,7 +363,7 @@ int fit_update(const void *fit) if (!fit) return -EINVAL; - if (!fit_check_format((void *)fit)) { + if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) { printf("Bad FIT format of the update file, aborting auto-update\n"); return -EINVAL; } |