1 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch
new file mode 100644
index 0000000000..98ec2c709d
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch
@@ -0,0 +1,71 @@
+From 8a7d4cf9820ea16fabd25a6379351b4dc291204b Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Mon, 15 Feb 2021 17:08:05 -0700
+Subject: [PATCH] fdt_region: Check for a single root node of the correct name
+At present fdt_find_regions() assumes that the FIT is a valid devicetree.
+If the FIT has two root nodes this is currently not detected in this
+function, nor does libfdt's fdt_check_full() notice. Also it is possible
+for the root node to have a name even though it should not.
+Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
+detected.
+CVE-2021-27097
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Reported-by: Bruce Monroe <bruce.monroe@intel.com>
+Reported-by: Arie Haenel <arie.haenel@intel.com>
+Reported-by: Julien Lenoir <julien.lenoir@intel.com>
+CVE: CVE-2021-27097
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ common/fdt_region.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/common/fdt_region.c b/common/fdt_region.c
+index ff12c518e9..e4ef0ca770 100644
+--- a/common/fdt_region.c
+++ b/common/fdt_region.c
+@@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
+        int depth = -1;
+        int want = 0;
+        int base = fdt_off_dt_struct(fdt);
+       bool expect_end = false;
+ 
+        end = path;
+        *end = '\0';
+@@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
+                tag = fdt_next_tag(fdt, offset, &nextoffset);
+                stop_at = nextoffset;
+ 
+               /* If we see two root nodes, something is wrong */
+               if (expect_end && tag != FDT_END)
+                       return -FDT_ERR_BADLAYOUT;
+
+                switch (tag) {
+                case FDT_PROP:
+                        include = want >= 2;
+@@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
+                        if (depth == FDT_MAX_DEPTH)
+                                return -FDT_ERR_BADSTRUCTURE;
+                        name = fdt_get_name(fdt, offset, &len);
+
+                       /* The root node must have an empty name */
+                       if (!depth && *name)
+                               return -FDT_ERR_BADLAYOUT;
+                        if (end - path + 2 + len >= path_len)
+                                return -FDT_ERR_NOSPACE;
+                        if (end != path + 1)
+@@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
+                        while (end > path && *--end != '/')
+                                ;
+                        *end = '\0';
+                       if (depth == -1)
+                               expect_end = true;
+                        break;
+ 
+                case FDT_END:

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch new file mode 100644 index 0000000000..98ec2c709d --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch
@@ -0,0 +1,71 @@
	1	From 8a7d4cf9820ea16fabd25a6379351b4dc291204b Mon Sep 17 00:00:00 2001
	2	From: Simon Glass <sjg@chromium.org>
	3	Date: Mon, 15 Feb 2021 17:08:05 -0700
	4	Subject: [PATCH] fdt_region: Check for a single root node of the correct name
	5
	6	At present fdt_find_regions() assumes that the FIT is a valid devicetree.
	7	If the FIT has two root nodes this is currently not detected in this
	8	function, nor does libfdt's fdt_check_full() notice. Also it is possible
	9	for the root node to have a name even though it should not.
	10
	11	Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
	12	detected.
	13
	14	CVE-2021-27097
	15
	16	Signed-off-by: Simon Glass <sjg@chromium.org>
	17	Reported-by: Bruce Monroe <bruce.monroe@intel.com>
	18	Reported-by: Arie Haenel <arie.haenel@intel.com>
	19	Reported-by: Julien Lenoir <julien.lenoir@intel.com>
	20
	21	CVE: CVE-2021-27097
	22	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b]
	23	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
	24
	25	---
	26	common/fdt_region.c \| 11 +++++++++++
	27	1 file changed, 11 insertions(+)
	28
	29	diff --git a/common/fdt_region.c b/common/fdt_region.c
	30	index ff12c518e9..e4ef0ca770 100644
	31	--- a/common/fdt_region.c
	32	+++ b/common/fdt_region.c
	33	@@ -43,6 +43,7 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	34	int depth = -1;
	35	int want = 0;
	36	int base = fdt_off_dt_struct(fdt);
	37	+ bool expect_end = false;
	38
	39	end = path;
	40	*end = '\0';
	41	@@ -59,6 +60,10 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	42	tag = fdt_next_tag(fdt, offset, &nextoffset);
	43	stop_at = nextoffset;
	44
	45	+ /* If we see two root nodes, something is wrong */
	46	+ if (expect_end && tag != FDT_END)
	47	+ return -FDT_ERR_BADLAYOUT;
	48	+
	49	switch (tag) {
	50	case FDT_PROP:
	51	include = want >= 2;
	52	@@ -81,6 +86,10 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	53	if (depth == FDT_MAX_DEPTH)
	54	return -FDT_ERR_BADSTRUCTURE;
	55	name = fdt_get_name(fdt, offset, &len);
	56	+
	57	+ /* The root node must have an empty name */
	58	+ if (!depth && *name)
	59	+ return -FDT_ERR_BADLAYOUT;
	60	if (end - path + 2 + len >= path_len)
	61	return -FDT_ERR_NOSPACE;
	62	if (end != path + 1)
	63	@@ -108,6 +117,8 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	64	while (end > path && *--end != '/')
	65	;
	66	*end = '\0';
	67	+ if (depth == -1)
	68	+ expect_end = true;
	69	break;
	70
	71	case FDT_END: