diff options
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch | 98 | ||||
-rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch | 52 | ||||
-rw-r--r-- | meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch | 114 | ||||
-rw-r--r-- | meta/recipes-bsp/u-boot/u-boot-common.inc | 3 |
4 files changed, 267 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch new file mode 100644 index 0000000000..d784452b44 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Glass <sjg@chromium.org> | ||
3 | Date: Wed, 18 Mar 2020 11:44:01 -0600 | ||
4 | Subject: [PATCH] image: Check hash-nodes when checking configurations | ||
5 | |||
6 | It is currently possible to use a different configuration's signature and | ||
7 | thus bypass the configuration check. Make sure that the configuration node | ||
8 | that was hashed matches the one being checked, to catch this problem. | ||
9 | |||
10 | Also add a proper function comment to fit_config_check_sig() and make it | ||
11 | static. | ||
12 | |||
13 | Signed-off-by: Simon Glass <sjg@chromium.org> | ||
14 | |||
15 | CVE: CVE-2020-10648 | ||
16 | Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324] | ||
17 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
18 | |||
19 | --- | ||
20 | common/image-sig.c | 36 +++++++++++++++++++++++++++++++++--- | ||
21 | 1 file changed, 33 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/common/image-sig.c b/common/image-sig.c | ||
24 | index 13ccd50bc5..03143a4040 100644 | ||
25 | --- a/common/image-sig.c | ||
26 | +++ b/common/image-sig.c | ||
27 | @@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset, | ||
28 | return 0; | ||
29 | } | ||
30 | |||
31 | -int fit_config_check_sig(const void *fit, int noffset, int required_keynode, | ||
32 | - char **err_msgp) | ||
33 | +/** | ||
34 | + * fit_config_check_sig() - Check the signature of a config | ||
35 | + * | ||
36 | + * @fit: FIT to check | ||
37 | + * @noffset: Offset of configuration node (e.g. /configurations/conf-1) | ||
38 | + * @required_keynode: Offset in the control FDT of the required key node, | ||
39 | + * if any. If this is given, then the configuration wil not | ||
40 | + * pass verification unless that key is used. If this is | ||
41 | + * -1 then any signature will do. | ||
42 | + * @conf_noffset: Offset of the configuration subnode being checked (e.g. | ||
43 | + * /configurations/conf-1/kernel) | ||
44 | + * @err_msgp: In the event of an error, this will be pointed to a | ||
45 | + * help error string to display to the user. | ||
46 | + * @return 0 if all verified ok, <0 on error | ||
47 | + */ | ||
48 | +static int fit_config_check_sig(const void *fit, int noffset, | ||
49 | + int required_keynode, int conf_noffset, | ||
50 | + char **err_msgp) | ||
51 | { | ||
52 | char * const exc_prop[] = {"data"}; | ||
53 | const char *prop, *end, *name; | ||
54 | struct image_sign_info info; | ||
55 | const uint32_t *strings; | ||
56 | + const char *config_name; | ||
57 | uint8_t *fit_value; | ||
58 | int fit_value_len; | ||
59 | + bool found_config; | ||
60 | int max_regions; | ||
61 | int i, prop_len; | ||
62 | char path[200]; | ||
63 | int count; | ||
64 | |||
65 | + config_name = fit_get_name(fit, conf_noffset, NULL); | ||
66 | debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(), | ||
67 | fit_get_name(fit, noffset, NULL), | ||
68 | fit_get_name(gd_fdt_blob(), required_keynode, NULL)); | ||
69 | @@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode, | ||
70 | char *node_inc[count]; | ||
71 | |||
72 | debug("Hash nodes (%d):\n", count); | ||
73 | + found_config = false; | ||
74 | for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) { | ||
75 | debug(" '%s'\n", name); | ||
76 | node_inc[i] = (char *)name; | ||
77 | + if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) && | ||
78 | + name[sizeof(FIT_CONFS_PATH) - 1] == '/' && | ||
79 | + !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) { | ||
80 | + debug(" (found config node %s)", config_name); | ||
81 | + found_config = true; | ||
82 | + } | ||
83 | + } | ||
84 | + if (!found_config) { | ||
85 | + *err_msgp = "Selected config not in hashed nodes"; | ||
86 | + return -1; | ||
87 | } | ||
88 | |||
89 | /* | ||
90 | @@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset, | ||
91 | if (!strncmp(name, FIT_SIG_NODENAME, | ||
92 | strlen(FIT_SIG_NODENAME))) { | ||
93 | ret = fit_config_check_sig(fit, noffset, sig_offset, | ||
94 | - &err_msg); | ||
95 | + conf_noffset, &err_msg); | ||
96 | if (ret) { | ||
97 | puts("- "); | ||
98 | } else { | ||
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch new file mode 100644 index 0000000000..023f7eac0a --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001 | ||
2 | From: Simon Glass <sjg@chromium.org> | ||
3 | Date: Wed, 18 Mar 2020 11:44:02 -0600 | ||
4 | Subject: [PATCH] image: Load the correct configuration in fit_check_sign | ||
5 | |||
6 | At present bootm_host_load_images() is passed the configuration that has | ||
7 | been verified, but ignores it and just uses the default configuration. | ||
8 | This may not be the same. | ||
9 | |||
10 | Update this function to use the selected configuration. | ||
11 | |||
12 | Signed-off-by: Simon Glass <sjg@chromium.org> | ||
13 | |||
14 | CVE: CVE-2020-10648 | ||
15 | Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d] | ||
16 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
17 | |||
18 | --- | ||
19 | common/bootm.c | 6 ++++-- | ||
20 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/common/bootm.c b/common/bootm.c | ||
23 | index 902c13880d..db4362a643 100644 | ||
24 | --- a/common/bootm.c | ||
25 | +++ b/common/bootm.c | ||
26 | @@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void) | ||
27 | #else /* USE_HOSTCC */ | ||
28 | |||
29 | #if defined(CONFIG_FIT_SIGNATURE) | ||
30 | -static int bootm_host_load_image(const void *fit, int req_image_type) | ||
31 | +static int bootm_host_load_image(const void *fit, int req_image_type, | ||
32 | + int cfg_noffset) | ||
33 | { | ||
34 | const char *fit_uname_config = NULL; | ||
35 | ulong data, len; | ||
36 | @@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type) | ||
37 | void *load_buf; | ||
38 | int ret; | ||
39 | |||
40 | + fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL); | ||
41 | memset(&images, '\0', sizeof(images)); | ||
42 | images.verify = 1; | ||
43 | noffset = fit_image_load(&images, (ulong)fit, | ||
44 | @@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset) | ||
45 | for (i = 0; i < ARRAY_SIZE(image_types); i++) { | ||
46 | int ret; | ||
47 | |||
48 | - ret = bootm_host_load_image(fit, image_types[i]); | ||
49 | + ret = bootm_host_load_image(fit, image_types[i], cfg_noffset); | ||
50 | if (!err && ret && ret != -ENOENT) | ||
51 | err = ret; | ||
52 | } | ||
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch new file mode 100644 index 0000000000..b0a16efeaa --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Rini <trini@konsulko.com> | ||
3 | Date: Tue, 21 Jan 2020 11:53:38 -0500 | ||
4 | Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly | ||
5 | |||
6 | New analysis by the tool has shown that we have some cases where we | ||
7 | weren't handling the error exit condition correctly. When we ran into | ||
8 | the ENOMEM case we wouldn't exit the function and thus incorrect things | ||
9 | could happen. Rework the unwinding such that we don't need a helper | ||
10 | function now and free what we may have allocated. | ||
11 | |||
12 | Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity") | ||
13 | Reported-by: Coverity (CID: 275475, 275476) | ||
14 | Cc: Alison Chaiken <alison@she-devel.com> | ||
15 | Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> | ||
16 | Cc: Jordy <jordy@simplyhacker.com> | ||
17 | Signed-off-by: Tom Rini <trini@konsulko.com> | ||
18 | Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> | ||
19 | |||
20 | CVE: CVE-2020-8432 | ||
21 | Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f] | ||
22 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
23 | |||
24 | --- | ||
25 | cmd/gpt.c | 47 ++++++++++++----------------------------------- | ||
26 | 1 file changed, 12 insertions(+), 35 deletions(-) | ||
27 | |||
28 | diff --git a/cmd/gpt.c b/cmd/gpt.c | ||
29 | index 0c4349f4b2..964702bad4 100644 | ||
30 | --- a/cmd/gpt.c | ||
31 | +++ b/cmd/gpt.c | ||
32 | @@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc *dev_desc, char * const namestr) | ||
33 | } | ||
34 | |||
35 | #ifdef CONFIG_CMD_GPT_RENAME | ||
36 | -/* | ||
37 | - * There are 3 malloc() calls in set_gpt_info() and there is no info about which | ||
38 | - * failed. | ||
39 | - */ | ||
40 | -static void set_gpt_cleanup(char **str_disk_guid, | ||
41 | - disk_partition_t **partitions) | ||
42 | -{ | ||
43 | -#ifdef CONFIG_RANDOM_UUID | ||
44 | - if (str_disk_guid) | ||
45 | - free(str_disk_guid); | ||
46 | -#endif | ||
47 | - if (partitions) | ||
48 | - free(partitions); | ||
49 | -} | ||
50 | - | ||
51 | static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm, | ||
52 | char *name1, char *name2) | ||
53 | { | ||
54 | @@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm, | ||
55 | struct disk_part *curr; | ||
56 | disk_partition_t *new_partitions = NULL; | ||
57 | char disk_guid[UUID_STR_LEN + 1]; | ||
58 | - char *partitions_list, *str_disk_guid; | ||
59 | + char *partitions_list, *str_disk_guid = NULL; | ||
60 | u8 part_count = 0; | ||
61 | int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0; | ||
62 | |||
63 | @@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm, | ||
64 | /* set_gpt_info allocates new_partitions and str_disk_guid */ | ||
65 | ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid, | ||
66 | &new_partitions, &part_count); | ||
67 | - if (ret < 0) { | ||
68 | - del_gpt_info(); | ||
69 | - free(partitions_list); | ||
70 | - if (ret == -ENOMEM) | ||
71 | - set_gpt_cleanup(&str_disk_guid, &new_partitions); | ||
72 | - else | ||
73 | - goto out; | ||
74 | - } | ||
75 | + if (ret < 0) | ||
76 | + goto out; | ||
77 | |||
78 | if (!strcmp(subcomm, "swap")) { | ||
79 | if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) { | ||
80 | @@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm, | ||
81 | * Even though valid pointers are here passed into set_gpt_info(), | ||
82 | * it mallocs again, and there's no way to tell which failed. | ||
83 | */ | ||
84 | - if (ret < 0) { | ||
85 | - del_gpt_info(); | ||
86 | - free(partitions_list); | ||
87 | - if (ret == -ENOMEM) | ||
88 | - set_gpt_cleanup(&str_disk_guid, &new_partitions); | ||
89 | - else | ||
90 | - goto out; | ||
91 | - } | ||
92 | + if (ret < 0) | ||
93 | + goto out; | ||
94 | |||
95 | debug("Writing new partition table\n"); | ||
96 | ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts); | ||
97 | @@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm, | ||
98 | } | ||
99 | printf("new partition table with %d partitions is:\n", numparts); | ||
100 | print_gpt_info(); | ||
101 | - del_gpt_info(); | ||
102 | out: | ||
103 | - free(new_partitions); | ||
104 | - free(str_disk_guid); | ||
105 | + del_gpt_info(); | ||
106 | +#ifdef CONFIG_RANDOM_UUID | ||
107 | + if (str_disk_guid) | ||
108 | + free(str_disk_guid); | ||
109 | +#endif | ||
110 | + if (new_partitions) | ||
111 | + free(new_partitions); | ||
112 | free(partitions_list); | ||
113 | return ret; | ||
114 | } | ||
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 4a17894c49..198ed52c7c 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc | |||
@@ -16,6 +16,9 @@ SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd" | |||
16 | 16 | ||
17 | SRC_URI = "git://git.denx.de/u-boot.git \ | 17 | SRC_URI = "git://git.denx.de/u-boot.git \ |
18 | file://remove-redundant-yyloc-global.patch \ | 18 | file://remove-redundant-yyloc-global.patch \ |
19 | file://CVE-2020-8432.patch \ | ||
20 | file://CVE-2020-10648-1.patch \ | ||
21 | file://CVE-2020-10648-2.patch \ | ||
19 | " | 22 | " |
20 | 23 | ||
21 | S = "${WORKDIR}/git" | 24 | S = "${WORKDIR}/git" |