u-boot: fix CVE-2020-8432 and CVE-2020-10648

Backport fixes for CVE-2020-8432 and CVE-2020-10648 from upstream. (From OE-Core rev: 9c6131bc46e233ea8e446c49bba4360ec06b7168) Signed-off-by: Scott Murray <scott.murray@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Scott Murray <scott.murray@konsulko.com> 2021-02-21 21:15:43 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-03-04 17:39:08 +0000
commit: 514e6a9dad7b9c7ed88bc5c2443c8c8887606c18 (patch)
tree: 422ba6fd9b417173624f6e5e307fe076dfbbaf58 /meta
parent: a50fe284b982e2269d3b29236ba9796f216f7414 (diff)
download: poky-514e6a9dad7b9c7ed88bc5c2443c8c8887606c18.tar.gz
4 files changed, 267 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
new file mode 100644
index 0000000000..d784452b44
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
@@ -0,0 +1,98 @@
+From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Wed, 18 Mar 2020 11:44:01 -0600
+Subject: [PATCH] image: Check hash-nodes when checking configurations
+It is currently possible to use a different configuration's signature and
+thus bypass the configuration check. Make sure that the configuration node
+that was hashed matches the one being checked, to catch this problem.
+Also add a proper function comment to fit_config_check_sig() and make it
+static.
+Signed-off-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2020-10648
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ common/image-sig.c | 36 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+diff --git a/common/image-sig.c b/common/image-sig.c
+index 13ccd50bc5..03143a4040 100644
+--- a/common/image-sig.c
+++ b/common/image-sig.c
+@@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
+        return 0;
+ }
+ 
+-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+-                        char **err_msgp)
+/**
+ * fit_config_check_sig() - Check the signature of a config
+ *
+ * @fit: FIT to check
+ * @noffset: Offset of configuration node (e.g. /configurations/conf-1)
+ * @required_keynode:  Offset in the control FDT of the required key node,
+ *                     if any. If this is given, then the configuration wil not
+ *                     pass verification unless that key is used. If this is
+ *                     -1 then any signature will do.
+ * @conf_noffset: Offset of the configuration subnode being checked (e.g.
+ *      /configurations/conf-1/kernel)
+ * @err_msgp:          In the event of an error, this will be pointed to a
+ *                     help error string to display to the user.
+ * @return 0 if all verified ok, <0 on error
+ */
+static int fit_config_check_sig(const void *fit, int noffset,
+                               int required_keynode, int conf_noffset,
+                               char **err_msgp)
+ {
+        char * const exc_prop[] = {"data"};
+        const char *prop, *end, *name;
+        struct image_sign_info info;
+        const uint32_t *strings;
+       const char *config_name;
+        uint8_t *fit_value;
+        int fit_value_len;
+       bool found_config;
+        int max_regions;
+        int i, prop_len;
+        char path[200];
+        int count;
+ 
+       config_name = fit_get_name(fit, conf_noffset, NULL);
+        debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
+              fit_get_name(fit, noffset, NULL),
+              fit_get_name(gd_fdt_blob(), required_keynode, NULL));
+@@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+        char *node_inc[count];
+ 
+        debug("Hash nodes (%d):\n", count);
+       found_config = false;
+        for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
+                debug("   '%s'\n", name);
+                node_inc[i] = (char *)name;
+               if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
+                   name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
+                   !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
+                       debug("      (found config node %s)", config_name);
+                       found_config = true;
+               }
+       }
+       if (!found_config) {
+               *err_msgp = "Selected config not in hashed nodes";
+               return -1;
+        }
+ 
+        /*
+@@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
+                if (!strncmp(name, FIT_SIG_NODENAME,
+                             strlen(FIT_SIG_NODENAME))) {
+                        ret = fit_config_check_sig(fit, noffset, sig_offset,
+-                                                  &err_msg);
+                                                  conf_noffset, &err_msg);
+                        if (ret) {
+                                puts("- ");
+                        } else {
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
new file mode 100644
index 0000000000..023f7eac0a
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
@@ -0,0 +1,52 @@
+From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Wed, 18 Mar 2020 11:44:02 -0600
+Subject: [PATCH] image: Load the correct configuration in fit_check_sign
+At present bootm_host_load_images() is passed the configuration that has
+been verified, but ignores it and just uses the default configuration.
+This may not be the same.
+Update this function to use the selected configuration.
+Signed-off-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2020-10648
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ common/bootm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/common/bootm.c b/common/bootm.c
+index 902c13880d..db4362a643 100644
+--- a/common/bootm.c
+++ b/common/bootm.c
+@@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void)
+ #else /* USE_HOSTCC */
+ 
+ #if defined(CONFIG_FIT_SIGNATURE)
+-static int bootm_host_load_image(const void *fit, int req_image_type)
+static int bootm_host_load_image(const void *fit, int req_image_type,
+                                int cfg_noffset)
+ {
+        const char *fit_uname_config = NULL;
+        ulong data, len;
+@@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type)
+        void *load_buf;
+        int ret;
+ 
+       fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
+        memset(&images, '\0', sizeof(images));
+        images.verify = 1;
+        noffset = fit_image_load(&images, (ulong)fit,
+@@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset)
+        for (i = 0; i < ARRAY_SIZE(image_types); i++) {
+                int ret;
+ 
+-               ret = bootm_host_load_image(fit, image_types[i]);
+               ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
+                if (!err && ret && ret != -ENOENT)
+                        err = ret;
+        }
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch
new file mode 100644
index 0000000000..b0a16efeaa
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch
@@ -0,0 +1,114 @@
+From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001
+From: Tom Rini <trini@konsulko.com>
+Date: Tue, 21 Jan 2020 11:53:38 -0500
+Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly
+New analysis by the tool has shown that we have some cases where we
+weren't handling the error exit condition correctly.  When we ran into
+the ENOMEM case we wouldn't exit the function and thus incorrect things
+could happen.  Rework the unwinding such that we don't need a helper
+function now and free what we may have allocated.
+Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity")
+Reported-by: Coverity (CID: 275475, 275476)
+Cc: Alison Chaiken <alison@she-devel.com>
+Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+Cc: Jordy <jordy@simplyhacker.com>
+Signed-off-by: Tom Rini <trini@konsulko.com>
+Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+CVE: CVE-2020-8432
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ cmd/gpt.c | 47 ++++++++++++-----------------------------------
+ 1 file changed, 12 insertions(+), 35 deletions(-)
+diff --git a/cmd/gpt.c b/cmd/gpt.c
+index 0c4349f4b2..964702bad4 100644
+--- a/cmd/gpt.c
+++ b/cmd/gpt.c
+@@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc *dev_desc, char * const namestr)
+ }
+ 
+ #ifdef CONFIG_CMD_GPT_RENAME
+-/*
+- * There are 3 malloc() calls in set_gpt_info() and there is no info about which
+- * failed.
+- */
+-static void set_gpt_cleanup(char **str_disk_guid,
+-                           disk_partition_t **partitions)
+-{
+-#ifdef CONFIG_RANDOM_UUID
+-       if (str_disk_guid)
+-               free(str_disk_guid);
+-#endif
+-       if (partitions)
+-               free(partitions);
+-}
+-
+ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+                               char *name1, char *name2)
+ {
+@@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+        struct disk_part *curr;
+        disk_partition_t *new_partitions = NULL;
+        char disk_guid[UUID_STR_LEN + 1];
+-       char *partitions_list, *str_disk_guid;
+       char *partitions_list, *str_disk_guid = NULL;
+        u8 part_count = 0;
+        int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0;
+ 
+@@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+        /* set_gpt_info allocates new_partitions and str_disk_guid */
+        ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid,
+                           &new_partitions, &part_count);
+-       if (ret < 0) {
+-               del_gpt_info();
+-               free(partitions_list);
+-               if (ret == -ENOMEM)
+-                       set_gpt_cleanup(&str_disk_guid, &new_partitions);
+-               else
+-                       goto out;
+-       }
+       if (ret < 0)
+               goto out;
+ 
+        if (!strcmp(subcomm, "swap")) {
+                if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) {
+@@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+         * Even though valid pointers are here passed into set_gpt_info(),
+         * it mallocs again, and there's no way to tell which failed.
+         */
+-       if (ret < 0) {
+-               del_gpt_info();
+-               free(partitions_list);
+-               if (ret == -ENOMEM)
+-                       set_gpt_cleanup(&str_disk_guid, &new_partitions);
+-               else
+-                       goto out;
+-       }
+       if (ret < 0)
+               goto out;
+ 
+        debug("Writing new partition table\n");
+        ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts);
+@@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+        }
+        printf("new partition table with %d partitions is:\n", numparts);
+        print_gpt_info();
+-       del_gpt_info();
+  out:
+-       free(new_partitions);
+-       free(str_disk_guid);
+       del_gpt_info();
+#ifdef CONFIG_RANDOM_UUID
+       if (str_disk_guid)
+               free(str_disk_guid);
+#endif
+       if (new_partitions)
+               free(new_partitions);
+        free(partitions_list);
+        return ret;
+ }
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 4a17894c49..198ed52c7c 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -16,6 +16,9 @@ SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
 SRC_URI = "git://git.denx.de/u-boot.git \
           file://remove-redundant-yyloc-global.patch \
+           file://CVE-2020-8432.patch \
+           file://CVE-2020-10648-1.patch \
+           file://CVE-2020-10648-2.patch \
          "
 S = "${WORKDIR}/git"
author	Scott Murray <scott.murray@konsulko.com>	2021-02-21 21:15:43 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-03-04 17:39:08 +0000
commit	514e6a9dad7b9c7ed88bc5c2443c8c8887606c18 (patch)
tree	422ba6fd9b417173624f6e5e307fe076dfbbaf58 /meta
parent	a50fe284b982e2269d3b29236ba9796f216f7414 (diff)
download	poky-514e6a9dad7b9c7ed88bc5c2443c8c8887606c18.tar.gz

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch new file mode 100644 index 0000000000..d784452b44 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
@@ -0,0 +1,98 @@
		1	From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001
		2	From: Simon Glass <sjg@chromium.org>
		3	Date: Wed, 18 Mar 2020 11:44:01 -0600
		4	Subject: [PATCH] image: Check hash-nodes when checking configurations
		5
		6	It is currently possible to use a different configuration's signature and
		7	thus bypass the configuration check. Make sure that the configuration node
		8	that was hashed matches the one being checked, to catch this problem.
		9
		10	Also add a proper function comment to fit_config_check_sig() and make it
		11	static.
		12
		13	Signed-off-by: Simon Glass <sjg@chromium.org>
		14
		15	CVE: CVE-2020-10648
		16	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324]
		17	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
		18
		19	---
		20	common/image-sig.c \| 36 +++++++++++++++++++++++++++++++++---
		21	1 file changed, 33 insertions(+), 3 deletions(-)
		22
		23	diff --git a/common/image-sig.c b/common/image-sig.c
		24	index 13ccd50bc5..03143a4040 100644
		25	--- a/common/image-sig.c
		26	+++ b/common/image-sig.c
		27	@@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
		28	return 0;
		29	}
		30
		31	-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
		32	- char **err_msgp)
		33	+/**
		34	+ * fit_config_check_sig() - Check the signature of a config
		35	+ *
		36	+ * @fit: FIT to check
		37	+ * @noffset: Offset of configuration node (e.g. /configurations/conf-1)
		38	+ * @required_keynode: Offset in the control FDT of the required key node,
		39	+ * if any. If this is given, then the configuration wil not
		40	+ * pass verification unless that key is used. If this is
		41	+ * -1 then any signature will do.
		42	+ * @conf_noffset: Offset of the configuration subnode being checked (e.g.
		43	+ * /configurations/conf-1/kernel)
		44	+ * @err_msgp: In the event of an error, this will be pointed to a
		45	+ * help error string to display to the user.
		46	+ * @return 0 if all verified ok, <0 on error
		47	+ */
		48	+static int fit_config_check_sig(const void *fit, int noffset,
		49	+ int required_keynode, int conf_noffset,
		50	+ char **err_msgp)
		51	{
		52	char * const exc_prop[] = {"data"};
		53	const char prop, end, *name;
		54	struct image_sign_info info;
		55	const uint32_t *strings;
		56	+ const char *config_name;
		57	uint8_t *fit_value;
		58	int fit_value_len;
		59	+ bool found_config;
		60	int max_regions;
		61	int i, prop_len;
		62	char path[200];
		63	int count;
		64
		65	+ config_name = fit_get_name(fit, conf_noffset, NULL);
		66	debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
		67	fit_get_name(fit, noffset, NULL),
		68	fit_get_name(gd_fdt_blob(), required_keynode, NULL));
		69	@@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
		70	char *node_inc[count];
		71
		72	debug("Hash nodes (%d):\n", count);
		73	+ found_config = false;
		74	for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
		75	debug(" '%s'\n", name);
		76	node_inc[i] = (char *)name;
		77	+ if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
		78	+ name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
		79	+ !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
		80	+ debug(" (found config node %s)", config_name);
		81	+ found_config = true;
		82	+ }
		83	+ }
		84	+ if (!found_config) {
		85	+ *err_msgp = "Selected config not in hashed nodes";
		86	+ return -1;
		87	}
		88
		89	/*
		90	@@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
		91	if (!strncmp(name, FIT_SIG_NODENAME,
		92	strlen(FIT_SIG_NODENAME))) {
		93	ret = fit_config_check_sig(fit, noffset, sig_offset,
		94	- &err_msg);
		95	+ conf_noffset, &err_msg);
		96	if (ret) {
		97	puts("- ");
		98	} else {


diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch new file mode 100644 index 0000000000..023f7eac0a --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
@@ -0,0 +1,52 @@
		1	From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001
		2	From: Simon Glass <sjg@chromium.org>
		3	Date: Wed, 18 Mar 2020 11:44:02 -0600
		4	Subject: [PATCH] image: Load the correct configuration in fit_check_sign
		5
		6	At present bootm_host_load_images() is passed the configuration that has
		7	been verified, but ignores it and just uses the default configuration.
		8	This may not be the same.
		9
		10	Update this function to use the selected configuration.
		11
		12	Signed-off-by: Simon Glass <sjg@chromium.org>
		13
		14	CVE: CVE-2020-10648
		15	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d]
		16	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
		17
		18	---
		19	common/bootm.c \| 6 ++++--
		20	1 file changed, 4 insertions(+), 2 deletions(-)
		21
		22	diff --git a/common/bootm.c b/common/bootm.c
		23	index 902c13880d..db4362a643 100644
		24	--- a/common/bootm.c
		25	+++ b/common/bootm.c
		26	@@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void)
		27	#else /* USE_HOSTCC */
		28
		29	#if defined(CONFIG_FIT_SIGNATURE)
		30	-static int bootm_host_load_image(const void *fit, int req_image_type)
		31	+static int bootm_host_load_image(const void *fit, int req_image_type,
		32	+ int cfg_noffset)
		33	{
		34	const char *fit_uname_config = NULL;
		35	ulong data, len;
		36	@@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type)
		37	void *load_buf;
		38	int ret;
		39
		40	+ fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
		41	memset(&images, '\0', sizeof(images));
		42	images.verify = 1;
		43	noffset = fit_image_load(&images, (ulong)fit,
		44	@@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset)
		45	for (i = 0; i < ARRAY_SIZE(image_types); i++) {
		46	int ret;
		47
		48	- ret = bootm_host_load_image(fit, image_types[i]);
		49	+ ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
		50	if (!err && ret && ret != -ENOENT)
		51	err = ret;
		52	}


diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch new file mode 100644 index 0000000000..b0a16efeaa --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch
@@ -0,0 +1,114 @@
		1	From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001
		2	From: Tom Rini <trini@konsulko.com>
		3	Date: Tue, 21 Jan 2020 11:53:38 -0500
		4	Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly
		5
		6	New analysis by the tool has shown that we have some cases where we
		7	weren't handling the error exit condition correctly. When we ran into
		8	the ENOMEM case we wouldn't exit the function and thus incorrect things
		9	could happen. Rework the unwinding such that we don't need a helper
		10	function now and free what we may have allocated.
		11
		12	Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity")
		13	Reported-by: Coverity (CID: 275475, 275476)
		14	Cc: Alison Chaiken <alison@she-devel.com>
		15	Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
		16	Cc: Jordy <jordy@simplyhacker.com>
		17	Signed-off-by: Tom Rini <trini@konsulko.com>
		18	Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
		19
		20	CVE: CVE-2020-8432
		21	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f]
		22	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
		23
		24	---
		25	cmd/gpt.c \| 47 ++++++++++++-----------------------------------
		26	1 file changed, 12 insertions(+), 35 deletions(-)
		27
		28	diff --git a/cmd/gpt.c b/cmd/gpt.c
		29	index 0c4349f4b2..964702bad4 100644
		30	--- a/cmd/gpt.c
		31	+++ b/cmd/gpt.c
		32	@@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc dev_desc, char const namestr)
		33	}
		34
		35	#ifdef CONFIG_CMD_GPT_RENAME
		36	-/*
		37	- * There are 3 malloc() calls in set_gpt_info() and there is no info about which
		38	- * failed.
		39	- */
		40	-static void set_gpt_cleanup(char **str_disk_guid,
		41	- disk_partition_t **partitions)
		42	-{
		43	-#ifdef CONFIG_RANDOM_UUID
		44	- if (str_disk_guid)
		45	- free(str_disk_guid);
		46	-#endif
		47	- if (partitions)
		48	- free(partitions);
		49	-}
		50	-
		51	static int do_rename_gpt_parts(struct blk_desc dev_desc, char subcomm,
		52	char name1, char name2)
		53	{
		54	@@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc dev_desc, char subcomm,
		55	struct disk_part *curr;
		56	disk_partition_t *new_partitions = NULL;
		57	char disk_guid[UUID_STR_LEN + 1];
		58	- char partitions_list, str_disk_guid;
		59	+ char partitions_list, str_disk_guid = NULL;
		60	u8 part_count = 0;
		61	int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0;
		62
		63	@@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc dev_desc, char subcomm,
		64	/* set_gpt_info allocates new_partitions and str_disk_guid */
		65	ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid,
		66	&new_partitions, &part_count);
		67	- if (ret < 0) {
		68	- del_gpt_info();
		69	- free(partitions_list);
		70	- if (ret == -ENOMEM)
		71	- set_gpt_cleanup(&str_disk_guid, &new_partitions);
		72	- else
		73	- goto out;
		74	- }
		75	+ if (ret < 0)
		76	+ goto out;
		77
		78	if (!strcmp(subcomm, "swap")) {
		79	if ((strlen(name1) > PART_NAME_LEN) \|\| (strlen(name2) > PART_NAME_LEN)) {
		80	@@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc dev_desc, char subcomm,
		81	* Even though valid pointers are here passed into set_gpt_info(),
		82	* it mallocs again, and there's no way to tell which failed.
		83	*/
		84	- if (ret < 0) {
		85	- del_gpt_info();
		86	- free(partitions_list);
		87	- if (ret == -ENOMEM)
		88	- set_gpt_cleanup(&str_disk_guid, &new_partitions);
		89	- else
		90	- goto out;
		91	- }
		92	+ if (ret < 0)
		93	+ goto out;
		94
		95	debug("Writing new partition table\n");
		96	ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts);
		97	@@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc dev_desc, char subcomm,
		98	}
		99	printf("new partition table with %d partitions is:\n", numparts);
		100	print_gpt_info();
		101	- del_gpt_info();
		102	out:
		103	- free(new_partitions);
		104	- free(str_disk_guid);
		105	+ del_gpt_info();
		106	+#ifdef CONFIG_RANDOM_UUID
		107	+ if (str_disk_guid)
		108	+ free(str_disk_guid);
		109	+#endif
		110	+ if (new_partitions)
		111	+ free(new_partitions);
		112	free(partitions_list);
		113	return ret;
		114	}


diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 4a17894c49..198ed52c7c 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -16,6 +16,9 @@ SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
16		16
17	SRC_URI = "git://git.denx.de/u-boot.git \	17	SRC_URI = "git://git.denx.de/u-boot.git \
18	file://remove-redundant-yyloc-global.patch \	18	file://remove-redundant-yyloc-global.patch \
		19	file://CVE-2020-8432.patch \
		20	file://CVE-2020-10648-1.patch \
		21	file://CVE-2020-10648-2.patch \
19	"	22	"
20		23
21	S = "${WORKDIR}/git"	24	S = "${WORKDIR}/git"