From 33132ec14676c62167d86cb1efff7c1f5ded107f Mon Sep 17 00:00:00 2001
From: Scott Murray <scott.murray@konsulko.com>
Date: Sun, 21 Mar 2021 22:53:55 -0400
Subject: u-boot: Fix CVE-2021-27097, CVE-2021-27138

Backport fixes for CVE-2021-27097 and CVE-2021-27138 as well as
a precursor fdt validation fix that allows using the upstream
patches for the CVEs without significant rebasing.  Note that
the additional upstream changes to add new U-Boot fit image tests
have been left out to keep the patch count down.  Those tests are
currently not used for ptest or oe-selftest, so it is believed
their absence should not be problematic.

(From OE-Core rev: b6c2df341d7e6da5defca9a5567fdb7212489efa)

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../u-boot/files/CVE-2021-27138-2.patch            | 109 +++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch

(limited to 'meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch')

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
new file mode 100644
index 0000000000..946196c378
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch
@@ -0,0 +1,109 @@
+From 3f04db891a353f4b127ed57279279f851c6b4917 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Mon, 15 Feb 2021 17:08:12 -0700
+Subject: [PATCH] image: Check for unit addresses in FITs
+
+Using unit addresses in a FIT is a security risk. Add a check for this
+and disallow it.
+
+CVE-2021-27138
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Reported-by: Bruce Monroe <bruce.monroe@intel.com>
+Reported-by: Arie Haenel <arie.haenel@intel.com>
+Reported-by: Julien Lenoir <julien.lenoir@intel.com>
+
+CVE: CVE-2021-27138
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+---
+ common/image-fit.c          | 56 +++++++++++++++++++++++++++++++++++++++++----
+ test/py/tests/test_vboot.py |  9 ++++----
+ 2 files changed, 57 insertions(+), 8 deletions(-)
+
+diff --git a/common/image-fit.c b/common/image-fit.c
+index bcf395f6a1..28b3d2b191 100644
+--- a/common/image-fit.c
++++ b/common/image-fit.c
+@@ -1568,6 +1568,34 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
+ 	return (comp == image_comp);
+ }
+ 
++/**
++ * fdt_check_no_at() - Check for nodes whose names contain '@'
++ *
++ * This checks the parent node and all subnodes recursively
++ *
++ * @fit: FIT to check
++ * @parent: Parent node to check
++ * @return 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@'
++ */
++static int fdt_check_no_at(const void *fit, int parent)
++{
++	const char *name;
++	int node;
++	int ret;
++
++	name = fdt_get_name(fit, parent, NULL);
++	if (!name || strchr(name, '@'))
++		return -EADDRNOTAVAIL;
++
++	fdt_for_each_subnode(node, fit, parent) {
++		ret = fdt_check_no_at(fit, node);
++		if (ret)
++			return ret;
++	}
++
++	return 0;
++}
++
+ int fit_check_format(const void *fit, ulong size)
+ {
+ 	int ret;
+@@ -1589,10 +1617,27 @@ int fit_check_format(const void *fit, ulong size)
+ 		if (size == IMAGE_SIZE_INVAL)
+ 			size = fdt_totalsize(fit);
+ 		ret = fdt_check_full(fit, size);
++		if (ret)
++			ret = -EINVAL;
++
++		/*
++		 * U-Boot stopped using unit addressed in 2017. Since libfdt
++		 * can match nodes ignoring any unit address, signature
++		 * verification can see the wrong node if one is inserted with
++		 * the same name as a valid node but with a unit address
++		 * attached. Protect against this by disallowing unit addresses.
++		 */
++		if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
++			ret = fdt_check_no_at(fit, 0);
+ 
++			if (ret) {
++				log_debug("FIT check error %d\n", ret);
++				return ret;
++			}
++		}
+ 		if (ret) {
+ 			log_debug("FIT check error %d\n", ret);
+-			return -EINVAL;
++			return ret;
+ 		}
+ 	}
+ 
+@@ -1955,10 +2000,13 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
+ 	printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
+ 
+ 	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
+-	if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
+-		printf("Bad FIT %s image format!\n", prop_name);
++	ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
++	if (ret) {
++		printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret);
++		if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && ret == -EADDRNOTAVAIL)
++			printf("Signature checking prevents use of unit addresses (@) in nodes\n");
+ 		bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
+-		return -ENOEXEC;
++		return ret;
+ 	}
+ 	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT_OK);
+ 	if (fit_uname) {
-- 
cgit v1.2.3-54-g00ecf