[U-Boot] Buffer overrun risk in UBI SPL for secure boot

Joel Peshkin joel.peshkin at broadcom.com
Wed Sep 4 14:19:42 UTC 2019 

Hi Heiko,

   The place where the issue comes up is in ubispl_load_volumes(), but that
calls ipl_load() internally.

   I guess there are several options....

1) Create a distinct ubispl_scan() function to do the scan without loading
anything and then a new load volume function that takes offset and limit
arguments.   This would have the advantage that a SPL that  needs to parse
one volume before loading the next would only need to scan once, then could
check sizes, then load the individual volumes as needed.  At the same time,
when we need to validate a FIT header before even deciding what we want to
load from it, we would be able to read more incrementally.

2) Add the size limit to struct ubispl_load and not worry about anyone with
non-upstreamed code forgetting to set it

3) Add the size limit to struct ubispl_load but have ubispl_load_volumes()
set the size limit to 0 (unlimited) before calling a new
ubispl_load_volumes_bounded() function.

   Which do you prefer?

   Do I presume correctly that your denx.de email address implies that an
approach you approve will be acceptable if correctly implemented?

Thanks,

Joel Peshkin


On Wed, Sep 4, 2019 at 6:01 AM Heiko Schocher <hs at denx.de> wrote:

> Hello Joel,
>
> Am 04.09.2019 um 06:57 schrieb Joel Peshkin:
> > It seems that, in the process of doing any sort of secure boot chain of
> > trust, anything loading a UBI volume in preparation to authenticate it,
> > will load a volume of unknown size into a buffer prior to checking the
> > signature of that volume.
>
> Hmm.. it is not an unknown size, it loads the complete UBI Volume, so
> it is the size of the UBI Volume ...
> but yes, if an attacker changes the size of UBI Volumes ...
>
> Could you please give us a reference to which piece of code you refer?
>
> is it this part:
>
> drivers/mtd/ubispl/ubispl.c
> static int ipl_load(struct ubi_scan_info *ubi, const u32 vol_id, uint8_t
> *laddr)
>
> yes ... no size...
>
> > Has anyone considered a solution for this?  Should all implementations
> just
> > carve out a buffer at the top of memory for ubispl_load_volume or should
> > the ubispl_load data structure be amended to include a size?  It would
> seem
> > appropriate to include a size, but not clear how to do that without
> > breaking compatibility with existing implementations.
>
> Hmm... yes may an option to add a maxsize to ubispl_load data struct
> ubispl_load.
>
> regarding backwards compatibility, there are not much boards yet, which
> use this feature:
>
> hs at threadripper:u-boot  [master] $ grep -lr SPL_UBI | grep defconfig
> configs/am335x_igep003x_defconfig
> configs/igep00x0_defconfig
> hs at threadripper:u-boot  [master] $
>
> So this should be solveable problem.
>
> bye,
> Heiko
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: +49-8142-66989-52   Fax: +49-8142-66989-80   Email: hs at denx.de
>

More information about the U-Boot mailing list