[U-Boot] [PATCH] vboot: Add FIT_SIGNATURE_MAX_SIZE protection

Simon Glass sjg at chromium.org
Thu Jun 7 23:17:57 UTC 2018


Hi Teddy,

On 7 June 2018 at 13:57, Teddy Reed <teddy.reed at gmail.com> wrote:
> On Thu, Jun 7, 2018 at 4:25 PM, Simon Glass <sjg at chromium.org> wrote:
>> Hi Teddy,
>>
>> On 3 June 2018 at 15:28, Teddy Reed <teddy.reed at gmail.com> wrote:
>>> This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
>>> max size of a FIT header's totalsize field. The max size is checked before
>>> signature checks are applied to prevent reading past defined FIT regions.
>>>
>>> This field is not part of the vboot signature so it should be sanity
>>> checked. If the field is corrupted then the structure or string region
>>> reads may have unintended behavior, such as reading from device memory.
>>> A default value of 256MB is set and intended to support most max storage
>>> sizes.
>>>
>>> Suggested-by: Simon Glass <sjg at chromium.org>
>>> Signed-off-by: Teddy Reed <teddy.reed at gmail.com>
>>> ---
>>>  Kconfig                     | 10 ++++++++++
>>>  common/image-sig.c          |  7 +++++++
>>>  test/py/tests/test_vboot.py | 31 +++++++++++++++++++++++++++++++
>>>  3 files changed, 48 insertions(+)
>>
>> Reviewed-by: Simon Glass <sjg at chromium.org>
>>
>> Please see below.
>>
>>>
>>> diff --git a/Kconfig b/Kconfig
>>> index 5a82c95..c8b86cd 100644
>>> --- a/Kconfig
>>> +++ b/Kconfig
>>> @@ -267,6 +267,16 @@ config FIT_SIGNATURE
>>>           format support in this case, enable it using
>>>           CONFIG_IMAGE_FORMAT_LEGACY.
>>>
>>> +config FIT_SIGNATURE_MAX_SIZE
>>> +       hex "Max size of signed FIT structures"
>>> +       depends on FIT_SIGNATURE
>>> +       default 0x10000000
>>> +       help
>>> +         This option sets a max size in bytes for verified FIT uImages.
>>> +         A sane value of 256MB protects corrupted DTB structures from overlapping
>>> +         device memory. Assure this size does not extend past expected storage
>>> +         space.
>>> +
>>>  config FIT_VERBOSE
>>>         bool "Show verbose messages when FIT images fail"
>>>         help
>>> diff --git a/common/image-sig.c b/common/image-sig.c
>>> index f65d883..e67d2a2 100644
>>> --- a/common/image-sig.c
>>> +++ b/common/image-sig.c
>>> @@ -156,6 +156,13 @@ static int fit_image_setup_verify(struct image_sign_info *info,
>>>  {
>>>         char *algo_name;
>>>
>>> +#ifdef CONFIG_FIT_SIGNATURE_MAX_SIZE
>>
>> Is there a case where this CONFIG item is not present? If not, can we
>> stop the #ifdef?
>
> I will investigate, perhaps when building host tools?

I was hoping that this file would not be built unless that is defined,
since it only depends on FIT_SIGNATURE.

[..]

Regards,
Simon


More information about the U-Boot mailing list