From patchwork Wed Nov 7 19:51:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Rini X-Patchwork-Id: 994470 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=konsulko.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 42qxrd1nNHz9sD4 for ; Thu, 8 Nov 2018 06:52:01 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id D7521C224D0; Wed, 7 Nov 2018 19:51:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 7A814C224A9; Wed, 7 Nov 2018 19:51:54 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 8D4D9C22480; Wed, 7 Nov 2018 19:51:53 +0000 (UTC) Received: from mail-yb1-f195.google.com (mail-yb1-f195.google.com [209.85.219.195]) by lists.denx.de (Postfix) with ESMTPS id D45BDC22429 for ; Wed, 7 Nov 2018 19:51:52 +0000 (UTC) Received: by mail-yb1-f195.google.com with SMTP id j9-v6so7336710ybj.6 for ; Wed, 07 Nov 2018 11:51:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=GDojTBo7DFkDOsrZA5Vz4x/9OQONyt1oFL4ImKjcknE=; b=ZpGb6bNA98m70C0OofikIahGMLHQgHz3LajDRJR3ZahRlGBC36Ol2B/XenT6iUAHz0 25JjJIEmmOrHl4EMcwYm4gcljlWzbCXZd/mDoZnVvtzi8s3RZh7Xml8NEmvgxUUNE6Dh KLgxS1YLcqhO20wvbkGCupV0Z3VqWzCAjmwHqkMVqRCevUtxecMaCN5o//1piTWMUvlb K3vIHnirmWvO7ZR7KgbXHJY9tpQ5goUfHckf3SXG2WohSOl4tYu1PvARQxIJDywFDciD tXs6gsQQVsewtAkRcUeLh81e8vWQ3de4ID2033Rj3ww3F/tyEsN5kAQ7pLo6ngq/q3B2 huoA== X-Gm-Message-State: AGRZ1gKP7UXCsAw0s5wDhJA2ALYZNR/OOfTrcibn5wFOv+oNxo4V/J68 HrDA6SueGK2Ten/SUJuvrH/+Ui0= X-Google-Smtp-Source: AJdET5eWLUx4swJ0eQajUNZJ84KgtpgQ+7lS1+EemAGy+5mNABeRAC8rCxMnWG5UL7sg+ykQMpgI5Q== X-Received: by 2002:a25:22c2:: with SMTP id i185-v6mr1693343ybi.88.1541620311204; Wed, 07 Nov 2018 11:51:51 -0800 (PST) Received: from bill-the-cat.ec.rr.com (cpe-65-184-133-47.ec.res.rr.com. [65.184.133.47]) by smtp.gmail.com with ESMTPSA id h186-v6sm388041ywe.103.2018.11.07.11.51.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 07 Nov 2018 11:51:50 -0800 (PST) From: Tom Rini To: u-boot@lists.denx.de Date: Wed, 7 Nov 2018 14:51:45 -0500 Message-Id: <1541620306-14314-1-git-send-email-trini@konsulko.com> X-Mailer: git-send-email 2.7.4 Cc: Konrad Beckmann Subject: [U-Boot] [PATCH 1/2] image-sig: Ensure that hashed-nodes is null-terminated X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" From: Konrad Beckmann A specially crafted FIT image leads to memory corruption in the stack when using the verified boot feature. The function fit_config_check_sig has a logic error that makes it possible to write past the end of the stack allocated array node_inc. This could potentially be used to bypass the signature check when using verified boot. This change ensures that the number of strings is correct when counted. Signed-off-by: Konrad Beckmann Reviewed-by: Simon Glass --- common/image-sig.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/image-sig.c b/common/image-sig.c index 5a269d3289bf..5d860e126637 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -334,6 +334,11 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode, return -1; } + if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') { + *err_msgp = "hashed-nodes property must be null-terminated"; + return -1; + } + /* Add a sanity check here since we are using the stack */ if (count > IMAGE_MAX_HASHED_NODES) { *err_msgp = "Number of hashed nodes exceeds maximum"; From patchwork Wed Nov 7 19:51:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Rini X-Patchwork-Id: 994471 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=konsulko.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 42qxsc0Ndqz9s9J for ; Thu, 8 Nov 2018 06:52:51 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id B5EA3C224A9; Wed, 7 Nov 2018 19:52:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 3C1B1C22538; Wed, 7 Nov 2018 19:51:56 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 199C4C22429; Wed, 7 Nov 2018 19:51:54 +0000 (UTC) Received: from mail-yb1-f193.google.com (mail-yb1-f193.google.com [209.85.219.193]) by lists.denx.de (Postfix) with ESMTPS id 88EBAC2241A for ; Wed, 7 Nov 2018 19:51:53 +0000 (UTC) Received: by mail-yb1-f193.google.com with SMTP id u103-v6so5796828ybi.5 for ; Wed, 07 Nov 2018 11:51:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=GUalWiu3dGNtrHY6fxSSU/c9lmuajszZjjAG3NPXUWY=; b=eHGHoe6w95I/NP+J7W+3lkdvJ7vOCko3bdkLurBgMnQKY7wuvZfDVZNR7WB45PktC6 shRjALbo0RcEZmdEcTe76o8OxvqAa628c+YKhFnwPiBuCHwfJoFyR90EAVUEVoit/sB1 3wfeM3IWaM31vvGNazd+ZR7jo+l1p0AcmGPDr4i2VNvV+OyzR95kuGApXV4ebJJ+sUBc YipYN2Isr+q8Wrnl3ZVhz0/0wOzgUiTfWZTcVVePo+4e+JQiX6enkILOOma1K2zOSyBn ycH0BDWcq0jqGcfT7tiWHfUh/ptT2kUzqWhh1p8FrtI42RNAKwpGKxT7IPff1+/QxFs/ PKww== X-Gm-Message-State: AGRZ1gJUH72efNpmAvr0gzFfLvKQYDMntIjVbLPRiKo5uleaL62eRBAI MigktaS+kP6MuesircoQZpI43rM= X-Google-Smtp-Source: AJdET5e3z8nXtnV9ovsITUJKLI47JkODTStcWnMpv7u1vthDTjwp2bqcB1k10Q5bQZSLMiB6QU/tPw== X-Received: by 2002:a25:3008:: with SMTP id w8-v6mr1733096ybw.39.1541620312025; Wed, 07 Nov 2018 11:51:52 -0800 (PST) Received: from bill-the-cat.ec.rr.com (cpe-65-184-133-47.ec.res.rr.com. [65.184.133.47]) by smtp.gmail.com with ESMTPSA id h186-v6sm388041ywe.103.2018.11.07.11.51.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 07 Nov 2018 11:51:51 -0800 (PST) From: Tom Rini To: u-boot@lists.denx.de Date: Wed, 7 Nov 2018 14:51:46 -0500 Message-Id: <1541620306-14314-2-git-send-email-trini@konsulko.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1541620306-14314-1-git-send-email-trini@konsulko.com> References: <1541620306-14314-1-git-send-email-trini@konsulko.com> Cc: Konrad Beckmann Subject: [U-Boot] [PATCH 2/2] fdt_region: Ensure that depth never goes below -1 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" From: Konrad Beckmann A specially crafted FIT image makes it possible to overflow the stack with controlled values when using the verified boot feature. Depending on the memory layout, this could be used to overwrite configuration variables on the heap and setting them to 0, e.g. disable signature verification, thus bypassing it. This change fixes a bug in fdt_find_regions where the fdt structure is parsed. A lower value than -1 of depth can lead to a buffer underflow write on the stack. Signed-off-by: Konrad Beckmann Reviewed-by: Simon Glass --- lib/libfdt/fdt_region.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/libfdt/fdt_region.c b/lib/libfdt/fdt_region.c index d3b9a60e994f..7e9fa9272e80 100644 --- a/lib/libfdt/fdt_region.c +++ b/lib/libfdt/fdt_region.c @@ -96,6 +96,9 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, break; case FDT_END_NODE: + /* Depth must never go below -1 */ + if (depth < 0) + return -FDT_ERR_BADSTRUCTURE; include = want; want = stack[depth--]; while (end > path && *--end != '/')