summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2018-08-22 13:36:57 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-23 07:50:00 +0100
commitf99a77a2dbce3a1078e9ad8db060d8fbe344544c (patch)
tree646e174ec039e70c7997b65475d724f84781235f
parentfa3529e1170986e90caf7212f326436f8370acb7 (diff)
downloadpoky-f99a77a2dbce3a1078e9ad8db060d8fbe344544c.tar.gz
u-boot: patch for CVE-2018-1000205
(From OE-Core rev: a8db39548d9985962e4f8764b10856af5226d210) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2018-1000205-1.patch59
-rw-r--r--meta/recipes-bsp/u-boot/files/CVE-2018-1000205-2.patch143
-rw-r--r--meta/recipes-bsp/u-boot/u-boot-common_2018.07.inc5
3 files changed, 206 insertions, 1 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2018-1000205-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2018-1000205-1.patch
new file mode 100644
index 0000000000..fed3c3dcb9
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2018-1000205-1.patch
@@ -0,0 +1,59 @@
1From 7346c1e192d63cd35f99c7e845e53c5d4d0bdc24 Mon Sep 17 00:00:00 2001
2From: Teddy Reed <teddy.reed@gmail.com>
3Date: Sat, 9 Jun 2018 11:45:20 -0400
4Subject: [PATCH] vboot: Do not use hashed-strings offset
5
6The hashed-strings signature property includes two uint32_t values.
7The first is unneeded as there should never be a start offset into the
8strings region. The second, the size, is needed because the added
9signature node appends to this region.
10
11See tools/image-host.c, where a static 0 value is used for the offset.
12
13Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
14Reviewed-by: Simon Glass <sjg@chromium.org>
15
16Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
17 h=7346c1e192d63cd35f99c7e845e53c5d4d0bdc24]
18
19CVE: CVE-2018-1000205
20
21Signed-off-by: Changqing Li <changqing.li@windriver.com>
22---
23 common/image-sig.c | 7 +++++--
24 tools/image-host.c | 1 +
25 2 files changed, 6 insertions(+), 2 deletions(-)
26
27diff --git a/common/image-sig.c b/common/image-sig.c
28index 8d2fd10..5a269d3 100644
29--- a/common/image-sig.c
30+++ b/common/image-sig.c
31@@ -377,8 +377,11 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
32 /* Add the strings */
33 strings = fdt_getprop(fit, noffset, "hashed-strings", NULL);
34 if (strings) {
35- fdt_regions[count].offset = fdt_off_dt_strings(fit) +
36- fdt32_to_cpu(strings[0]);
37+ /*
38+ * The strings region offset must be a static 0x0.
39+ * This is set in tool/image-host.c
40+ */
41+ fdt_regions[count].offset = fdt_off_dt_strings(fit);
42 fdt_regions[count].size = fdt32_to_cpu(strings[1]);
43 count++;
44 }
45diff --git a/tools/image-host.c b/tools/image-host.c
46index 8e43671..be2d59b 100644
47--- a/tools/image-host.c
48+++ b/tools/image-host.c
49@@ -135,6 +135,7 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
50
51 ret = fdt_setprop(fit, noffset, "hashed-nodes",
52 region_prop, region_proplen);
53+ /* This is a legacy offset, it is unused, and must remain 0. */
54 strdata[0] = 0;
55 strdata[1] = cpu_to_fdt32(string_size);
56 if (!ret) {
57--
582.7.4
59
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2018-1000205-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2018-1000205-2.patch
new file mode 100644
index 0000000000..bb79af1c7b
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2018-1000205-2.patch
@@ -0,0 +1,143 @@
1From 72239fc85f3eda078547956608c063ab965e90e9 Mon Sep 17 00:00:00 2001
2From: Teddy Reed <teddy.reed@gmail.com>
3Date: Sat, 9 Jun 2018 11:38:05 -0400
4Subject: [PATCH] vboot: Add FIT_SIGNATURE_MAX_SIZE protection
5
6This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
7max size of a FIT header's totalsize field. The field is checked before
8signature checks are applied to protect from reading past the intended
9FIT regions.
10
11This field is not part of the vboot signature so it should be sanity
12checked. If the field is corrupted then the structure or string region
13reads may have unintended behavior, such as reading from device memory.
14A default value of 256MB is set and intended to support most max storage
15sizes.
16
17Suggested-by: Simon Glass <sjg@chromium.org>
18Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
19Reviewed-by: Simon Glass <sjg@chromium.org>
20
21Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
22 h=72239fc85f3eda078547956608c063ab965e90e9]
23
24CVE: CVE-2018-1000205
25
26Signed-off-by: Changqing Li <changqing.li@windriver.com>
27---
28 Kconfig | 10 ++++++++++
29 common/image-sig.c | 5 +++++
30 test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++++
31 tools/Makefile | 1 +
32 4 files changed, 49 insertions(+)
33
34diff --git a/Kconfig b/Kconfig
35index 5a82c95..c8b86cd 100644
36--- a/Kconfig
37+++ b/Kconfig
38@@ -267,6 +267,16 @@ config FIT_SIGNATURE
39 format support in this case, enable it using
40 CONFIG_IMAGE_FORMAT_LEGACY.
41
42+config FIT_SIGNATURE_MAX_SIZE
43+ hex "Max size of signed FIT structures"
44+ depends on FIT_SIGNATURE
45+ default 0x10000000
46+ help
47+ This option sets a max size in bytes for verified FIT uImages.
48+ A sane value of 256MB protects corrupted DTB structures from overlapping
49+ device memory. Assure this size does not extend past expected storage
50+ space.
51+
52 config FIT_VERBOSE
53 bool "Show verbose messages when FIT images fail"
54 help
55diff --git a/common/image-sig.c b/common/image-sig.c
56index f65d883..8d2fd10 100644
57--- a/common/image-sig.c
58+++ b/common/image-sig.c
59@@ -156,6 +156,11 @@ static int fit_image_setup_verify(struct image_sign_info *info,
60 {
61 char *algo_name;
62
63+ if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
64+ *err_msgp = "Total size too large";
65+ return 1;
66+ }
67+
68 if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
69 *err_msgp = "Can't get hash algo property";
70 return -1;
71diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
72index ee939f2..3d25ec3 100644
73--- a/test/py/tests/test_vboot.py
74+++ b/test/py/tests/test_vboot.py
75@@ -26,6 +26,7 @@ Tests run with both SHA1 and SHA256 hashing.
76
77 import pytest
78 import sys
79+import struct
80 import u_boot_utils as util
81
82 @pytest.mark.boardspec('sandbox')
83@@ -105,6 +106,26 @@ def test_vboot(u_boot_console):
84 util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
85 '-r', fit])
86
87+ def replace_fit_totalsize(size):
88+ """Replace FIT header's totalsize with something greater.
89+
90+ The totalsize must be less than or equal to FIT_SIGNATURE_MAX_SIZE.
91+ If the size is greater, the signature verification should return false.
92+
93+ Args:
94+ size: The new totalsize of the header
95+
96+ Returns:
97+ prev_size: The previous totalsize read from the header
98+ """
99+ total_size = 0
100+ with open(fit, 'r+b') as handle:
101+ handle.seek(4)
102+ total_size = handle.read(4)
103+ handle.seek(4)
104+ handle.write(struct.pack(">I", size))
105+ return struct.unpack(">I", total_size)[0]
106+
107 def test_with_algo(sha_algo):
108 """Test verified boot with the given hash algorithm.
109
110@@ -146,6 +167,18 @@ def test_vboot(u_boot_console):
111 util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
112 '-k', dtb])
113
114+ # Replace header bytes
115+ bcfg = u_boot_console.config.buildconfig
116+ max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
117+ existing_size = replace_fit_totalsize(max_size + 1)
118+ run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
119+ cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo)
120+
121+ # Replace with existing header bytes
122+ replace_fit_totalsize(existing_size)
123+ run_bootm(sha_algo, 'signed config', 'dev+', True)
124+ cons.log.action('%s: Check default FIT header totalsize' % sha_algo)
125+
126 # Increment the first byte of the signature, which should cause failure
127 sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
128 (fit, sig_node))
129diff --git a/tools/Makefile b/tools/Makefile
130index 5dd33ed..0c3341e 100644
131--- a/tools/Makefile
132+++ b/tools/Makefile
133@@ -133,6 +133,7 @@ ifdef CONFIG_FIT_SIGNATURE
134 # This affects include/image.h, but including the board config file
135 # is tricky, so manually define this options here.
136 HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE
137+HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE)
138 endif
139
140 ifdef CONFIG_SYS_U_BOOT_OFFS
141--
1422.7.4
143
diff --git a/meta/recipes-bsp/u-boot/u-boot-common_2018.07.inc b/meta/recipes-bsp/u-boot/u-boot-common_2018.07.inc
index d945253475..22b44dccc6 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common_2018.07.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common_2018.07.inc
@@ -10,6 +10,9 @@ PE = "1"
10# repo during parse 10# repo during parse
11SRCREV = "8c5d4fd0ec222701598a27b26ab7265d4cee45a3" 11SRCREV = "8c5d4fd0ec222701598a27b26ab7265d4cee45a3"
12 12
13SRC_URI = "git://git.denx.de/u-boot.git" 13SRC_URI = "git://git.denx.de/u-boot.git \
14 file://CVE-2018-1000205-1.patch \
15 file://CVE-2018-1000205-2.patch \
16"
14 17
15S = "${WORKDIR}/git" 18S = "${WORKDIR}/git"