diff options
Diffstat (limited to 'meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch')
-rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch new file mode 100644 index 0000000000..d784452b44 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Glass <sjg@chromium.org> | ||
3 | Date: Wed, 18 Mar 2020 11:44:01 -0600 | ||
4 | Subject: [PATCH] image: Check hash-nodes when checking configurations | ||
5 | |||
6 | It is currently possible to use a different configuration's signature and | ||
7 | thus bypass the configuration check. Make sure that the configuration node | ||
8 | that was hashed matches the one being checked, to catch this problem. | ||
9 | |||
10 | Also add a proper function comment to fit_config_check_sig() and make it | ||
11 | static. | ||
12 | |||
13 | Signed-off-by: Simon Glass <sjg@chromium.org> | ||
14 | |||
15 | CVE: CVE-2020-10648 | ||
16 | Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324] | ||
17 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
18 | |||
19 | --- | ||
20 | common/image-sig.c | 36 +++++++++++++++++++++++++++++++++--- | ||
21 | 1 file changed, 33 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/common/image-sig.c b/common/image-sig.c | ||
24 | index 13ccd50bc5..03143a4040 100644 | ||
25 | --- a/common/image-sig.c | ||
26 | +++ b/common/image-sig.c | ||
27 | @@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset, | ||
28 | return 0; | ||
29 | } | ||
30 | |||
31 | -int fit_config_check_sig(const void *fit, int noffset, int required_keynode, | ||
32 | - char **err_msgp) | ||
33 | +/** | ||
34 | + * fit_config_check_sig() - Check the signature of a config | ||
35 | + * | ||
36 | + * @fit: FIT to check | ||
37 | + * @noffset: Offset of configuration node (e.g. /configurations/conf-1) | ||
38 | + * @required_keynode: Offset in the control FDT of the required key node, | ||
39 | + * if any. If this is given, then the configuration wil not | ||
40 | + * pass verification unless that key is used. If this is | ||
41 | + * -1 then any signature will do. | ||
42 | + * @conf_noffset: Offset of the configuration subnode being checked (e.g. | ||
43 | + * /configurations/conf-1/kernel) | ||
44 | + * @err_msgp: In the event of an error, this will be pointed to a | ||
45 | + * help error string to display to the user. | ||
46 | + * @return 0 if all verified ok, <0 on error | ||
47 | + */ | ||
48 | +static int fit_config_check_sig(const void *fit, int noffset, | ||
49 | + int required_keynode, int conf_noffset, | ||
50 | + char **err_msgp) | ||
51 | { | ||
52 | char * const exc_prop[] = {"data"}; | ||
53 | const char *prop, *end, *name; | ||
54 | struct image_sign_info info; | ||
55 | const uint32_t *strings; | ||
56 | + const char *config_name; | ||
57 | uint8_t *fit_value; | ||
58 | int fit_value_len; | ||
59 | + bool found_config; | ||
60 | int max_regions; | ||
61 | int i, prop_len; | ||
62 | char path[200]; | ||
63 | int count; | ||
64 | |||
65 | + config_name = fit_get_name(fit, conf_noffset, NULL); | ||
66 | debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(), | ||
67 | fit_get_name(fit, noffset, NULL), | ||
68 | fit_get_name(gd_fdt_blob(), required_keynode, NULL)); | ||
69 | @@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode, | ||
70 | char *node_inc[count]; | ||
71 | |||
72 | debug("Hash nodes (%d):\n", count); | ||
73 | + found_config = false; | ||
74 | for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) { | ||
75 | debug(" '%s'\n", name); | ||
76 | node_inc[i] = (char *)name; | ||
77 | + if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) && | ||
78 | + name[sizeof(FIT_CONFS_PATH) - 1] == '/' && | ||
79 | + !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) { | ||
80 | + debug(" (found config node %s)", config_name); | ||
81 | + found_config = true; | ||
82 | + } | ||
83 | + } | ||
84 | + if (!found_config) { | ||
85 | + *err_msgp = "Selected config not in hashed nodes"; | ||
86 | + return -1; | ||
87 | } | ||
88 | |||
89 | /* | ||
90 | @@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset, | ||
91 | if (!strncmp(name, FIT_SIG_NODENAME, | ||
92 | strlen(FIT_SIG_NODENAME))) { | ||
93 | ret = fit_config_check_sig(fit, noffset, sig_offset, | ||
94 | - &err_msg); | ||
95 | + conf_noffset, &err_msg); | ||
96 | if (ret) { | ||
97 | puts("- "); | ||
98 | } else { | ||