[PATCH 2/8] fit: Don't allow verification of images with @ nodes
Tom Rini
trini at konsulko.com
Tue Feb 16 04:35:58 CET 2021
On Mon, Feb 15, 2021 at 05:08:06PM -0700, Simon Glass wrote:
> When searching for a node called 'fred', any unit address appended to the
> name is ignored by libfdt, meaning that 'fred' can match 'fred at 1'. This
> means that we cannot be sure that the node originally intended is the one
> that is used.
>
> Disallow use of nodes with unit addresses.
>
> Update the forge test also, since it uses @ addresses.
>
> CVE-2021-27138
>
> Signed-off-by: Simon Glass <sjg at chromium.org>
> Reported-by: Bruce Monroe <bruce.monroe at intel.com>
> Reported-by: Arie Haenel <arie.haenel at intel.com>
> Reported-by: Julien Lenoir <julien.lenoir at intel.com>
Applied to u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210215/4f4da731/attachment.sig>
More information about the U-Boot
mailing list