Message ID | 1541620306-14314-1-git-send-email-trini@konsulko.com |
---|---|
State | Accepted |
Commit | f1c85688ab13f154ebe1b1480def233a22e7f66b |
Delegated to: | Tom Rini |
Headers | show |
Series | [U-Boot,1/2] image-sig: Ensure that hashed-nodes is null-terminated | expand |
On 7 November 2018 at 11:51, Tom Rini <trini@konsulko.com> wrote: > From: Konrad Beckmann <konrad.beckmann@gmail.com> > > A specially crafted FIT image leads to memory corruption in the stack > when using the verified boot feature. The function fit_config_check_sig > has a logic error that makes it possible to write past the end of the > stack allocated array node_inc. This could potentially be used to bypass > the signature check when using verified boot. > > This change ensures that the number of strings is correct when counted. > > Signed-off-by: Konrad Beckmann <konrad.beckmann@gmail.com> > --- > common/image-sig.c | 5 +++++ > 1 file changed, 5 insertions(+) Reviewed-by: Simon Glass <sjg@chromium.org>
On Wed, Nov 07, 2018 at 02:51:45PM -0500, Tom Rini wrote: > From: Konrad Beckmann <konrad.beckmann@gmail.com> > > A specially crafted FIT image leads to memory corruption in the stack > when using the verified boot feature. The function fit_config_check_sig > has a logic error that makes it possible to write past the end of the > stack allocated array node_inc. This could potentially be used to bypass > the signature check when using verified boot. > > This change ensures that the number of strings is correct when counted. > > Signed-off-by: Konrad Beckmann <konrad.beckmann@gmail.com> > Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot/master, thanks!
diff --git a/common/image-sig.c b/common/image-sig.c index 5a269d3289bf..5d860e126637 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -334,6 +334,11 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode, return -1; } + if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') { + *err_msgp = "hashed-nodes property must be null-terminated"; + return -1; + } + /* Add a sanity check here since we are using the stack */ if (count > IMAGE_MAX_HASHED_NODES) { *err_msgp = "Number of hashed nodes exceeds maximum";