From patchwork Wed Nov  7 19:51:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Rini <trini@konsulko.com>
X-Patchwork-Id: 994471
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=konsulko.com
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 42qxsc0Ndqz9s9J
	for <incoming@patchwork.ozlabs.org>;
	Thu,  8 Nov 2018 06:52:51 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id B5EA3C224A9; Wed,  7 Nov 2018 19:52:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED,
	RCVD_IN_MSPIKE_H2 autolearn=unavailable autolearn_force=no
	version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 3C1B1C22538;
	Wed,  7 Nov 2018 19:51:56 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 199C4C22429; Wed,  7 Nov 2018 19:51:54 +0000 (UTC)
Received: from mail-yb1-f193.google.com (mail-yb1-f193.google.com
	[209.85.219.193])
	by lists.denx.de (Postfix) with ESMTPS id 88EBAC2241A
	for <u-boot@lists.denx.de>; Wed,  7 Nov 2018 19:51:53 +0000 (UTC)
Received: by mail-yb1-f193.google.com with SMTP id u103-v6so5796828ybi.5
	for <u-boot@lists.denx.de>; Wed, 07 Nov 2018 11:51:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=GUalWiu3dGNtrHY6fxSSU/c9lmuajszZjjAG3NPXUWY=;
	b=eHGHoe6w95I/NP+J7W+3lkdvJ7vOCko3bdkLurBgMnQKY7wuvZfDVZNR7WB45PktC6
	shRjALbo0RcEZmdEcTe76o8OxvqAa628c+YKhFnwPiBuCHwfJoFyR90EAVUEVoit/sB1
	3wfeM3IWaM31vvGNazd+ZR7jo+l1p0AcmGPDr4i2VNvV+OyzR95kuGApXV4ebJJ+sUBc
	YipYN2Isr+q8Wrnl3ZVhz0/0wOzgUiTfWZTcVVePo+4e+JQiX6enkILOOma1K2zOSyBn
	ycH0BDWcq0jqGcfT7tiWHfUh/ptT2kUzqWhh1p8FrtI42RNAKwpGKxT7IPff1+/QxFs/
	PKww==
X-Gm-Message-State: AGRZ1gJUH72efNpmAvr0gzFfLvKQYDMntIjVbLPRiKo5uleaL62eRBAI
	MigktaS+kP6MuesircoQZpI43rM=
X-Google-Smtp-Source: 
 AJdET5e3z8nXtnV9ovsITUJKLI47JkODTStcWnMpv7u1vthDTjwp2bqcB1k10Q5bQZSLMiB6QU/tPw==
X-Received: by 2002:a25:3008:: with SMTP id
	w8-v6mr1733096ybw.39.1541620312025;
	Wed, 07 Nov 2018 11:51:52 -0800 (PST)
Received: from bill-the-cat.ec.rr.com (cpe-65-184-133-47.ec.res.rr.com.
	[65.184.133.47]) by smtp.gmail.com with ESMTPSA id
	h186-v6sm388041ywe.103.2018.11.07.11.51.51
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 07 Nov 2018 11:51:51 -0800 (PST)
From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Date: Wed,  7 Nov 2018 14:51:46 -0500
Message-Id: <1541620306-14314-2-git-send-email-trini@konsulko.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1541620306-14314-1-git-send-email-trini@konsulko.com>
References: <1541620306-14314-1-git-send-email-trini@konsulko.com>
Cc: Konrad Beckmann <konrad.beckmann@gmail.com>
Subject: [U-Boot] [PATCH 2/2] fdt_region: Ensure that depth never goes below
	-1
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

From: Konrad Beckmann <konrad.beckmann@gmail.com>

A specially crafted FIT image makes it possible to overflow the stack
with controlled values when using the verified boot feature. Depending
on the memory layout, this could be used to overwrite configuration
variables on the heap and setting them to 0, e.g. disable signature
verification, thus bypassing it.

This change fixes a bug in fdt_find_regions where the fdt structure is
parsed. A lower value than -1 of depth can lead to a buffer underflow
write on the stack.

Signed-off-by: Konrad Beckmann <konrad.beckmann@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 lib/libfdt/fdt_region.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/libfdt/fdt_region.c b/lib/libfdt/fdt_region.c
index d3b9a60e994f..7e9fa9272e80 100644
--- a/lib/libfdt/fdt_region.c
+++ b/lib/libfdt/fdt_region.c
@@ -96,6 +96,9 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
 			break;
 
 		case FDT_END_NODE:
+			/* Depth must never go below -1 */
+			if (depth < 0)
+				return -FDT_ERR_BADSTRUCTURE;
 			include = want;
 			want = stack[depth--];
 			while (end > path && *--end != '/')