Merge branch '2021-02-15-fix-CVE-2021-27097-CVE-2021-27138'

Fix CVE-2021-27097 and CVE-2021-27138. For more details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27097 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27138 Change-Id: I8f1f03a7e4b1d0bc9d8db51b6a08219f0c47fc2d Signed-off-by: Md Sadre Alam <quic_mdalam@quicinc.com>
2025-12-10 07:44:53 +01:00 · 2021-02-15 19:19:56 -05:00 · 2021-02-15 19:19:56 -05:00 · af3ad1d289
commit af3ad1d289
parent aea4f25d69
18 changed files with 236 additions and 28 deletions
--- a/common/Kconfig
+++ b/common/Kconfig
@ -717,3 +717,12 @@ config CONSOLE_RECORD_IN_SIZE
 	  tstc() and getc() will use this in preference to real device input.
 	  The buffer is allocated immediately after the malloc() region is
 	  ready.
 config FIT_FULL_CHECK
 	bool "Do a full check of the FIT before using it"
 	default y
 	help
 	 Enable this do a full check of the FIT to make sure it is valid. This
 	 helps to protect against carefully crafted FITs which take advantage
 	 of bugs or omissions in the code. This includes a bad structure,
 	 multiple root nodes and the like.
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@ -279,7 +279,7 @@ static int image_info(ulong addr)
 	case IMAGE_FORMAT_FIT:
 		puts("   FIT image found\n");
-		if (!fit_check_format(hdr)) {
+		if (fit_check_format(hdr, IMAGE_SIZE_INVAL)) {
 			puts("Bad FIT image format!\n");
 			return 1;
 		}
@ -352,7 +352,7 @@ static int do_imls_nor(void)
 #endif
 #if defined(CONFIG_FIT)
 			case IMAGE_FORMAT_FIT:
-				if (!fit_check_format(hdr))
+				if (fit_check_format(hdr, IMAGE_SIZE_INVAL))
 					goto next_sector;
 				printf("FIT Image at %08lX:\n", (ulong)hdr);
@ -434,7 +434,7 @@ static int nand_imls_fitimage(nand_info_t *nand, int nand_dev, loff_t off,
 		return ret;
 	}
-	if (!fit_check_format(imgdata)) {
+	if (fit_check_format(imgdata, IMAGE_SIZE_INVAL)) {
 		free(imgdata);
 		return 0;
 	}
--- a/common/cmd_disk.c
+++ b/common/cmd_disk.c
@ -112,7 +112,7 @@ int common_diskboot(cmd_tbl_t *cmdtp, const char *intf, int argc,
 	/* This cannot be done earlier,
 	 * we need complete FIT image in RAM first */
 	if (fit_hdr && genimg_get_format((void *)addr) == IMAGE_FORMAT_FIT) {
-		if (!fit_check_format(fit_hdr)) {
+		if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
 			bootstage_error(BOOTSTAGE_ID_IDE_FIT_READ);
 			puts("** Bad FIT image format\n");
 			return 1;
--- a/common/cmd_fdc.c
+++ b/common/cmd_fdc.c
@ -731,7 +731,7 @@ int do_fdcboot (cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 #if defined(CONFIG_FIT)
 	/* This cannot be done earlier, we need complete FIT image in RAM first */
 	if (genimg_get_format ((void *)addr) == IMAGE_FORMAT_FIT) {
-		if (!fit_check_format (fit_hdr)) {
+		if (fit_check_format (fit_hdr, IMAGE_SIZE_INVAL)) {
 			puts ("** Bad FIT image format\n");
 			return 1;
 		}
--- a/common/cmd_fpga.c
+++ b/common/cmd_fpga.c
@ -248,7 +248,7 @@ int do_fpga(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
 					return 1;
 				}
-				if (!fit_check_format(fit_hdr)) {
+				if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
 					puts("Bad FIT image format\n");
 					return 1;
 				}
--- a/common/cmd_nand.c
+++ b/common/cmd_nand.c
@ -889,7 +889,7 @@ static int nand_load_image(cmd_tbl_t *cmdtp, nand_info_t *nand,
 #if defined(CONFIG_FIT)
 	/* This cannot be done earlier, we need complete FIT image in RAM first */
 	if (fit_hdr && genimg_get_format((void *)addr) == IMAGE_FORMAT_FIT) {
-		if (!fit_check_format(fit_hdr)) {
+		if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
 			bootstage_error(BOOTSTAGE_ID_NAND_FIT_READ);
 			puts("** Bad FIT image format\n");
 			return 1;
--- a/common/cmd_source.c
+++ b/common/cmd_source.c
@ -97,7 +97,7 @@ source (ulong addr, const char *fit_uname)
 		}
 		fit_hdr = buf;
-		if (!fit_check_format (fit_hdr)) {
+		if (fit_check_format (fit_hdr, IMAGE_SIZE_INVAL)) {
 			puts ("Bad FIT image format\n");
 			return 1;
 		}
--- a/common/cmd_ximg.c
+++ b/common/cmd_ximg.c
@ -132,7 +132,7 @@ do_imgextract(cmd_tbl_t * cmdtp, int flag, int argc, char * const argv[])
 			"at %08lx ...\n", uname, addr);
 		fit_hdr = (const void *)addr;
-		if (!fit_check_format(fit_hdr)) {
+		if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
 			puts("Bad FIT image format\n");
 			return 1;
 		}
--- a/common/image-fdt.c
+++ b/common/image-fdt.c
@ -353,7 +353,7 @@ int boot_get_fdt(int flag, int argc, char * const argv[], uint8_t arch,
 			 */
 #if defined(CONFIG_FIT)
 			/* check FDT blob vs FIT blob */
-			if (fit_check_format(buf)) {
+			if (!fit_check_format(buf, IMAGE_SIZE_INVAL)) {
 				ulong load, len;
 				fdt_noffset = fit_image_load(images,
--- a/common/image-fit.c
+++ b/common/image-fit.c
@ -8,7 +8,7 @@
 *
 * SPDX-License-Identifier:	GPL-2.0+
 */
-
+#define LOG_CATEGORY LOGC_BOOT
 #ifdef USE_HOSTCC
 #include "mkimage.h"
 #include <image.h>
@ -991,11 +991,22 @@ int fit_image_verify(const void *fit, int image_noffset)
 {
 	const void	*data;
 	size_t		size;
 	int		noffset = 0;
 	char		*err_msg = "";
 	int verify_all = 1;
 	int ret;
 	int noffset = 0;
 #if defined(CONFIG_FIT_SIGNATURE)
 	const char *name = fit_get_name(fit, image_noffset, NULL);
 	if (strchr(name, '@')) {
 		/*
 		 * We don't support this since libfdt considers names with the
 		 * name root but different @ suffix to be equal
 		 */
 		err_msg = "Node name contains @";
 		goto error;
 	}
 #endif
 	/* Get image data and data length */
 	if (fit_image_get_data(fit, image_noffset, &data, &size)) {
 		err_msg = "Can't get image data/size";
@ -1192,6 +1203,33 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
 	return (comp == image_comp);
 }
 /**
 * fdt_check_no_at() - Check for nodes whose names contain '@'
 * This checks the parent node and all subnodes recursively
 * @fit: FIT to check
 * @parent: Parent node to check
 * @return 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@'
 */
 #if defined(CONFIG_FIT_SIGNATURE)
 static int fdt_check_no_at(const void *fit, int parent)
 {
 	const char *name;
 	int node;
 	int ret;
 	name = fdt_get_name(fit, parent, NULL);
 	if (!name || strchr(name, '@'))
 		return -EADDRNOTAVAIL;
 	fdt_for_each_subnode(fit, node, parent) {
 		ret = fdt_check_no_at(fit, node);
 		if (ret)
 			return ret;
 	}
 	return 0;
 }
 #endif
 /**
 * fit_check_format - sanity check FIT image format
 * @fit: pointer to the FIT format image header
@ -1203,29 +1241,71 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
 *     1, on success
 *     0, on failure
 */
-int fit_check_format(const void *fit)
+int fit_check_format(const void *fit, ulong size)
 {
 	int ret;
 	ret = fdt_check_header(fit);
 	if (ret) {
 		debug("Wrong FIT format: not a flattened device tree\n");
 		return -ENOEXEC;
 	}
 #if defined(CONFIG_FIT_FULL_CHECK)
 		/*
 		 * If we are not given the size, make do wtih calculating it.
 		 * This is not as secure, so we should consider a flag to
 		 * control this.
 		 */
 		if (size == IMAGE_SIZE_INVAL)
 			size = fdt_totalsize(fit);
 		ret = fdt_check_full(fit, size);
 		if (ret)
 			ret = -EINVAL;
 		/*
 		 * U-Boot stopped using unit addressed in 2017. Since libfdt
 		 * can match nodes ignoring any unit address, signature
 		 * verification can see the wrong node if one is inserted with
 		 * the same name as a valid node but with a unit address
 		 * attached. Protect against this by disallowing unit addresses.
 		 */
 #if defined(CONFIG_FIT_SIGNATURE)
 		if (!ret)
 			ret = fdt_check_no_at(fit, 0);
 			if (ret) {
 				debug("FIT check error %d\n", ret);
 				return ret;
 			}
 		}
 #endif
 		if (ret) {
 			debug("FIT check error %d\n", ret);
 			return ret;
 		}
 #endif
 	/* mandatory / node 'description' property */
-	if (fdt_getprop(fit, 0, FIT_DESC_PROP, NULL) == NULL) {
+	if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
 		debug("Wrong FIT format: no description\n");
-		return 0;
+		return -ENOMSG;
 	}
 	if (IMAGE_ENABLE_TIMESTAMP) {
 		/* mandatory / node 'timestamp' property */
-		if (fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL) == NULL) {
+		if (!fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL)) {
 			debug("Wrong FIT format: no timestamp\n");
-			return 0;
+			return -ENODATA;
 		}
 	}
 	/* mandatory subimages parent '/images' node */
 	if (fdt_path_offset(fit, FIT_IMAGES_PATH) < 0) {
 		debug("Wrong FIT format: no images parent node\n");
-		return 0;
+		return -ENOENT;
 	}
-	return 1;
+	return 0;
 }
@ -1581,10 +1661,15 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
 	printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
 	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
-	if (!fit_check_format(fit)) {
+	ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
-		printf("Bad FIT %s image format!\n", prop_name);
+	if (ret) {
 		printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret);
 #if defined(CONFIG_FIT_SIGNATURE)
 		if (ret == -EADDRNOTAVAIL)
 			printf("Signature checking prevents use of unit addresses (@) in nodes\n");
 #endif
 		bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
-		return -ENOEXEC;
+		return ret;
 	}
 	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT_OK);
 	if (fit_uname) {
--- a/common/update.c
+++ b/common/update.c
@ -279,7 +279,7 @@ int update_tftp(ulong addr, char *interface, char *devstring)
 got_update_file:
 	fit = (void *)addr;
-	if (!fit_check_format((void *)fit)) {
+	if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) {
 		printf("Bad FIT format of the update file, aborting "
 							"auto-update\n");
 		return 1;
--- a/drivers/misc/fsl_debug_server.c
+++ b/drivers/misc/fsl_debug_server.c
@ -63,7 +63,7 @@ int debug_server_parse_firmware_fit_image(const void **raw_image_addr,
 		goto out_error;
 	}
-	if (!fit_check_format(fit_hdr)) {
+	if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
 		printf("Debug Server FW: Bad FIT image format\n");
 		goto out_error;
 	}
--- a/drivers/net/fsl-mc/mc.c
+++ b/drivers/net/fsl-mc/mc.c
@ -123,7 +123,7 @@ int parse_mc_firmware_fit_image(u64 mc_fw_addr,
 		return -EINVAL;
 	}
-	if (!fit_check_format(fit_hdr)) {
+	if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
 		printf("fsl-mc: ERR: Bad firmware image (bad FIT header)\n");
 		return -EINVAL;
 	}
--- a/include/image.h
+++ b/include/image.h
@ -792,6 +792,9 @@ int bootz_setup(ulong image, ulong *start, ulong *end);
 #define FIT_MAX_HASH_LEN	HASH_MAX_DIGEST_SIZE
 /* An invalid size, meaning that the image size is not known */
 #define IMAGE_SIZE_INVAL	(-1UL)
 /* cmdline argument format parsing */
 int fit_parse_conf(const char *spec, ulong addr_curr,
 		ulong *addr, const char **conf_name);
@ -888,10 +891,26 @@ int fit_image_check_os(const void *fit, int noffset, uint8_t os);
 int fit_image_check_arch(const void *fit, int noffset, uint8_t arch);
 int fit_image_check_type(const void *fit, int noffset, uint8_t type);
 int fit_image_check_comp(const void *fit, int noffset, uint8_t comp);
-int fit_check_format(const void *fit);
+/**
 * fit_check_format() - Check that the FIT is valid
 *
 * This performs various checks on the FIT to make sure it is suitable for
 * use, looking for mandatory properties, nodes, etc.
 *
 * If FIT_FULL_CHECK is enabled, it also runs it through libfdt to make
 * sure that there are no strange tags or broken nodes in the FIT.
 *
 * @fit: pointer to the FIT format image header
 * @return 0 if OK, -ENOEXEC if not an FDT file, -EINVAL if the full FDT check
 *	failed (e.g. due to bad structure), -ENOMSG if the description is
 *	missing, -ENODATA if the timestamp is missing, -ENOENT if the /images
 *	path is missing
 */
 int fit_check_format(const void *fit, ulong size);
 int fit_conf_find_compat(const void *fit, const void *fdt);
 int fit_conf_get_node(const void *fit, const char *conf_uname);
 int fdt_check_full(const void *fdt, size_t bufsize);
 /**
 * fit_conf_get_prop_node() - Get node refered to by a configuration
--- a/lib/libfdt/fdt_ro.c
+++ b/lib/libfdt/fdt_ro.c
@ -14,6 +14,7 @@
 #include "libfdt_internal.h"
 #define INT_MAX         ((int)(~0U>>1))
 static int _fdt_nodename_eq(const void *fdt, int offset,
 			    const char *s, int len)
 {
@ -625,3 +626,83 @@ int fdt_node_offset_by_compatible(const void *fdt, int startoffset,
 	return offset; /* error from fdt_next_node() */
 }
 int fdt_check_full(const void *fdt, size_t bufsize)
 {
 	int err;
 	int num_memrsv;
 	int offset, nextoffset = 0;
 	uint32_t tag;
 	unsigned depth = 0;
 	const void *prop;
 	const char *propname;
 	bool expect_end = false;
 	if (bufsize < FDT_V1_SIZE)
 		return -FDT_ERR_TRUNCATED;
 	err = fdt_check_header(fdt);
 	if (err != 0)
 		return err;
 	if (bufsize < fdt_totalsize(fdt))
 		return -FDT_ERR_TRUNCATED;
 	num_memrsv = fdt_num_mem_rsv(fdt);
 	if (num_memrsv < 0)
 		return num_memrsv;
 	while (1) {
 		offset = nextoffset;
 		tag = fdt_next_tag(fdt, offset, &nextoffset);
 		if (nextoffset < 0)
 			return nextoffset;
 		/* If we see two root nodes, something is wrong */
 		if (expect_end && tag != FDT_END)
 			return -FDT_ERR_BADLAYOUT;
 		switch (tag) {
 		case FDT_NOP:
 			break;
 		case FDT_END:
 			if (depth != 0)
 				return -FDT_ERR_BADSTRUCTURE;
 			return 0;
 		case FDT_BEGIN_NODE:
 			depth++;
 			if (depth > INT_MAX)
 				return -FDT_ERR_BADSTRUCTURE;
 			/* The root node must have an empty name */
 			if (depth == 1) {
 				const char *name;
 				int len;
 				name = fdt_get_name(fdt, offset, &len);
 				if (*name || len)
 					return -FDT_ERR_BADLAYOUT;
 			}
 			break;
 		case FDT_END_NODE:
 			if (depth == 0)
 				return -FDT_ERR_BADSTRUCTURE;
 			depth--;
 			if (depth == 0)
 				expect_end = true;
 			break;
 		case FDT_PROP:
 			prop = fdt_getprop_by_offset(fdt, offset, &propname,
 						     &err);
 			if (!prop)
 				return err;
 			break;
 		default:
 			return -FDT_ERR_INTERNAL;
 		}
 	}
 }
--- a/lib/libfdt/fdt_wip.c
+++ b/lib/libfdt/fdt_wip.c
@ -103,6 +103,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
 	int depth = -1;
 	int want = 0;
 	int base = fdt_off_dt_struct(fdt);
 	bool expect_end = false;
 	end = path;
 	*end = '\0';
@ -119,6 +120,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
 		tag = fdt_next_tag(fdt, offset, &nextoffset);
 		stop_at = nextoffset;
 		/* If we see two root nodes, something is wrong */
 		if (expect_end && tag != FDT_END)
 			return -FDT_ERR_BADLAYOUT;
 		switch (tag) {
 		case FDT_PROP:
 			include = want >= 2;
@ -139,6 +144,9 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
 			if (depth == FDT_MAX_DEPTH)
 				return -FDT_ERR_BADSTRUCTURE;
 			name = fdt_get_name(fdt, offset, &len);
 			/* The root node must have an empty name */
 			if (!depth && *name)
 				return -FDT_ERR_BADLAYOUT;
 			if (end - path + 2 + len >= path_len)
 				return -FDT_ERR_NOSPACE;
 			if (end != path + 1)
@ -163,6 +171,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
 			while (end > path && *--end != '/')
 				;
 			*end = '\0';
 			if (depth == -1)
 				expect_end = true;
 			break;
 		case FDT_END:
--- a/tools/fit_common.c
+++ b/tools/fit_common.c
@ -27,7 +27,11 @@
 int fit_verify_header(unsigned char *ptr, int image_size,
 			struct image_tool_params *params)
 {
-	return fdt_check_header(ptr);
+	if (fdt_check_header(ptr) != EXIT_SUCCESS ||
 	    fit_check_format(ptr, IMAGE_SIZE_INVAL))
 		return EXIT_FAILURE;
 	return EXIT_SUCCESS;
 }
 int fit_check_image_types(uint8_t type)
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@ -200,7 +200,7 @@ static int fit_extract_contents(void *ptr, struct image_tool_params *params)
 	/* Indent string is defined in header image.h */
 	p = IMAGE_INDENT_STRING;
-	if (!fit_check_format(fit)) {
+	if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
 		printf("Bad FIT image format\n");
 		return -1;
 	}