u-boot: Fix CVE-2021-27097, CVE-2021-27138

Backport fixes for CVE-2021-27097 and CVE-2021-27138 as well as a precursor fdt validation fix that allows using the upstream patches for the CVEs without significant rebasing. Note that the additional upstream changes to add new U-Boot fit image tests have been left out to keep the patch count down. Those tests are currently not used for ptest or oe-selftest, so it is believed their absence should not be problematic. (From OE-Core rev: b6c2df341d7e6da5defca9a5567fdb7212489efa) Signed-off-by: Scott Murray <scott.murray@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Scott Murray <scott.murray@konsulko.com> 2021-03-21 22:53:55 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-03-23 22:51:25 +0000
commit: 33132ec14676c62167d86cb1efff7c1f5ded107f (patch)
tree: 69cd029244b918f9195b804f7c5187ecc9461806 /meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
parent: f0d268181e2a67ad2c50b5e77f921b34c1f32ba4 (diff)
download: poky-33132ec14676c62167d86cb1efff7c1f5ded107f.tar.gz
1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
new file mode 100644
index 0000000000..946196c378
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
@@ -0,0 +1,109 @@
+From 3f04db891a353f4b127ed57279279f851c6b4917 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Mon, 15 Feb 2021 17:08:12 -0700
+Subject: [PATCH] image: Check for unit addresses in FITs
+Using unit addresses in a FIT is a security risk. Add a check for this
+and disallow it.
+CVE-2021-27138
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Reported-by: Bruce Monroe <bruce.monroe@intel.com>
+Reported-by: Arie Haenel <arie.haenel@intel.com>
+Reported-by: Julien Lenoir <julien.lenoir@intel.com>
+CVE: CVE-2021-27138
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ common/image-fit.c          | 56 +++++++++++++++++++++++++++++++++++++++++----
+ test/py/tests/test_vboot.py |  9 ++++----
+ 2 files changed, 57 insertions(+), 8 deletions(-)
+diff --git a/common/image-fit.c b/common/image-fit.c
+index bcf395f6a1..28b3d2b191 100644
+--- a/common/image-fit.c
+++ b/common/image-fit.c
+@@ -1568,6 +1568,34 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
+        return (comp == image_comp);
+ }
+ 
+/**
+ * fdt_check_no_at() - Check for nodes whose names contain '@'
+ *
+ * This checks the parent node and all subnodes recursively
+ *
+ * @fit: FIT to check
+ * @parent: Parent node to check
+ * @return 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@'
+ */
+static int fdt_check_no_at(const void *fit, int parent)
+{
+       const char *name;
+       int node;
+       int ret;
+
+       name = fdt_get_name(fit, parent, NULL);
+       if (!name || strchr(name, '@'))
+               return -EADDRNOTAVAIL;
+
+       fdt_for_each_subnode(node, fit, parent) {
+               ret = fdt_check_no_at(fit, node);
+               if (ret)
+                       return ret;
+       }
+
+       return 0;
+}
+
+ int fit_check_format(const void *fit, ulong size)
+ {
+        int ret;
+@@ -1589,10 +1617,27 @@ int fit_check_format(const void *fit, ulong size)
+                if (size == IMAGE_SIZE_INVAL)
+                        size = fdt_totalsize(fit);
+                ret = fdt_check_full(fit, size);
+               if (ret)
+                       ret = -EINVAL;
+
+               /*
+                * U-Boot stopped using unit addressed in 2017. Since libfdt
+                * can match nodes ignoring any unit address, signature
+                * verification can see the wrong node if one is inserted with
+                * the same name as a valid node but with a unit address
+                * attached. Protect against this by disallowing unit addresses.
+                */
+               if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
+                       ret = fdt_check_no_at(fit, 0);
+ 
+                       if (ret) {
+                               log_debug("FIT check error %d\n", ret);
+                               return ret;
+                       }
+               }
+                if (ret) {
+                        log_debug("FIT check error %d\n", ret);
+-                       return -EINVAL;
+                       return ret;
+                }
+        }
+ 
+@@ -1955,10 +2000,13 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
+        printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
+ 
+        bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
+-       if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
+-               printf("Bad FIT %s image format!\n", prop_name);
+       ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
+       if (ret) {
+               printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret);
+               if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && ret == -EADDRNOTAVAIL)
+                       printf("Signature checking prevents use of unit addresses (@) in nodes\n");
+                bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
+-               return -ENOEXEC;
+               return ret;
+        }
+        bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT_OK);
+        if (fit_uname) {
author	Scott Murray <scott.murray@konsulko.com>	2021-03-21 22:53:55 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-03-23 22:51:25 +0000
commit	33132ec14676c62167d86cb1efff7c1f5ded107f (patch)
tree	69cd029244b918f9195b804f7c5187ecc9461806 /meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
parent	f0d268181e2a67ad2c50b5e77f921b34c1f32ba4 (diff)
download	poky-33132ec14676c62167d86cb1efff7c1f5ded107f.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch new file mode 100644 index 0000000000..946196c378 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
@@ -0,0 +1,109 @@
	1	From 3f04db891a353f4b127ed57279279f851c6b4917 Mon Sep 17 00:00:00 2001
	2	From: Simon Glass <sjg@chromium.org>
	3	Date: Mon, 15 Feb 2021 17:08:12 -0700
	4	Subject: [PATCH] image: Check for unit addresses in FITs
	5
	6	Using unit addresses in a FIT is a security risk. Add a check for this
	7	and disallow it.
	8
	9	CVE-2021-27138
	10
	11	Signed-off-by: Simon Glass <sjg@chromium.org>
	12	Reported-by: Bruce Monroe <bruce.monroe@intel.com>
	13	Reported-by: Arie Haenel <arie.haenel@intel.com>
	14	Reported-by: Julien Lenoir <julien.lenoir@intel.com>
	15
	16	CVE: CVE-2021-27138
	17	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917]
	18	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
	19
	20	---
	21	common/image-fit.c \| 56 +++++++++++++++++++++++++++++++++++++++++----
	22	test/py/tests/test_vboot.py \| 9 ++++----
	23	2 files changed, 57 insertions(+), 8 deletions(-)
	24
	25	diff --git a/common/image-fit.c b/common/image-fit.c
	26	index bcf395f6a1..28b3d2b191 100644
	27	--- a/common/image-fit.c
	28	+++ b/common/image-fit.c
	29	@@ -1568,6 +1568,34 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
	30	return (comp == image_comp);
	31	}
	32
	33	+/**
	34	+ * fdt_check_no_at() - Check for nodes whose names contain '@'
	35	+ *
	36	+ * This checks the parent node and all subnodes recursively
	37	+ *
	38	+ * @fit: FIT to check
	39	+ * @parent: Parent node to check
	40	+ * @return 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@'
	41	+ */
	42	+static int fdt_check_no_at(const void *fit, int parent)
	43	+{
	44	+ const char *name;
	45	+ int node;
	46	+ int ret;
	47	+
	48	+ name = fdt_get_name(fit, parent, NULL);
	49	+ if (!name \|\| strchr(name, '@'))
	50	+ return -EADDRNOTAVAIL;
	51	+
	52	+ fdt_for_each_subnode(node, fit, parent) {
	53	+ ret = fdt_check_no_at(fit, node);
	54	+ if (ret)
	55	+ return ret;
	56	+ }
	57	+
	58	+ return 0;
	59	+}
	60	+
	61	int fit_check_format(const void *fit, ulong size)
	62	{
	63	int ret;
	64	@@ -1589,10 +1617,27 @@ int fit_check_format(const void *fit, ulong size)
	65	if (size == IMAGE_SIZE_INVAL)
	66	size = fdt_totalsize(fit);
	67	ret = fdt_check_full(fit, size);
	68	+ if (ret)
	69	+ ret = -EINVAL;
	70	+
	71	+ /*
	72	+ * U-Boot stopped using unit addressed in 2017. Since libfdt
	73	+ * can match nodes ignoring any unit address, signature
	74	+ * verification can see the wrong node if one is inserted with
	75	+ * the same name as a valid node but with a unit address
	76	+ * attached. Protect against this by disallowing unit addresses.
	77	+ */
	78	+ if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
	79	+ ret = fdt_check_no_at(fit, 0);
	80
	81	+ if (ret) {
	82	+ log_debug("FIT check error %d\n", ret);
	83	+ return ret;
	84	+ }
	85	+ }
	86	if (ret) {
	87	log_debug("FIT check error %d\n", ret);
	88	- return -EINVAL;
	89	+ return ret;
	90	}
	91	}
	92
	93	@@ -1955,10 +2000,13 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
	94	printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
	95
	96	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
	97	- if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
	98	- printf("Bad FIT %s image format!\n", prop_name);
	99	+ ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
	100	+ if (ret) {
	101	+ printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret);
	102	+ if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && ret == -EADDRNOTAVAIL)
	103	+ printf("Signature checking prevents use of unit addresses (@) in nodes\n");
	104	bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
	105	- return -ENOEXEC;
	106	+ return ret;
	107	}
	108	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT_OK);
	109	if (fit_uname) {