From patchwork Wed Nov 7 19:51:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Rini X-Patchwork-Id: 994470 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=konsulko.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 42qxrd1nNHz9sD4 for ; Thu, 8 Nov 2018 06:52:01 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id D7521C224D0; Wed, 7 Nov 2018 19:51:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 7A814C224A9; Wed, 7 Nov 2018 19:51:54 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 8D4D9C22480; Wed, 7 Nov 2018 19:51:53 +0000 (UTC) Received: from mail-yb1-f195.google.com (mail-yb1-f195.google.com [209.85.219.195]) by lists.denx.de (Postfix) with ESMTPS id D45BDC22429 for ; Wed, 7 Nov 2018 19:51:52 +0000 (UTC) Received: by mail-yb1-f195.google.com with SMTP id j9-v6so7336710ybj.6 for ; Wed, 07 Nov 2018 11:51:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=GDojTBo7DFkDOsrZA5Vz4x/9OQONyt1oFL4ImKjcknE=; b=ZpGb6bNA98m70C0OofikIahGMLHQgHz3LajDRJR3ZahRlGBC36Ol2B/XenT6iUAHz0 25JjJIEmmOrHl4EMcwYm4gcljlWzbCXZd/mDoZnVvtzi8s3RZh7Xml8NEmvgxUUNE6Dh KLgxS1YLcqhO20wvbkGCupV0Z3VqWzCAjmwHqkMVqRCevUtxecMaCN5o//1piTWMUvlb K3vIHnirmWvO7ZR7KgbXHJY9tpQ5goUfHckf3SXG2WohSOl4tYu1PvARQxIJDywFDciD tXs6gsQQVsewtAkRcUeLh81e8vWQ3de4ID2033Rj3ww3F/tyEsN5kAQ7pLo6ngq/q3B2 huoA== X-Gm-Message-State: AGRZ1gKP7UXCsAw0s5wDhJA2ALYZNR/OOfTrcibn5wFOv+oNxo4V/J68 HrDA6SueGK2Ten/SUJuvrH/+Ui0= X-Google-Smtp-Source: AJdET5eWLUx4swJ0eQajUNZJ84KgtpgQ+7lS1+EemAGy+5mNABeRAC8rCxMnWG5UL7sg+ykQMpgI5Q== X-Received: by 2002:a25:22c2:: with SMTP id i185-v6mr1693343ybi.88.1541620311204; Wed, 07 Nov 2018 11:51:51 -0800 (PST) Received: from bill-the-cat.ec.rr.com (cpe-65-184-133-47.ec.res.rr.com. [65.184.133.47]) by smtp.gmail.com with ESMTPSA id h186-v6sm388041ywe.103.2018.11.07.11.51.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 07 Nov 2018 11:51:50 -0800 (PST) From: Tom Rini To: u-boot@lists.denx.de Date: Wed, 7 Nov 2018 14:51:45 -0500 Message-Id: <1541620306-14314-1-git-send-email-trini@konsulko.com> X-Mailer: git-send-email 2.7.4 Cc: Konrad Beckmann Subject: [U-Boot] [PATCH 1/2] image-sig: Ensure that hashed-nodes is null-terminated X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" From: Konrad Beckmann A specially crafted FIT image leads to memory corruption in the stack when using the verified boot feature. The function fit_config_check_sig has a logic error that makes it possible to write past the end of the stack allocated array node_inc. This could potentially be used to bypass the signature check when using verified boot. This change ensures that the number of strings is correct when counted. Signed-off-by: Konrad Beckmann Reviewed-by: Simon Glass --- common/image-sig.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/image-sig.c b/common/image-sig.c index 5a269d3289bf..5d860e126637 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -334,6 +334,11 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode, return -1; } + if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') { + *err_msgp = "hashed-nodes property must be null-terminated"; + return -1; + } + /* Add a sanity check here since we are using the stack */ if (count > IMAGE_MAX_HASHED_NODES) { *err_msgp = "Number of hashed nodes exceeds maximum";