[RFC PATCH 0/3] boot/fit: fix CVE-2021-27138 while keeping '@' node names

Lorenz Kofler lorenz at sigma-star.at
Mon Jun 8 11:10:22 CEST 2026 

Hello!

Gentle ping :) Any feedback on this patch?

On 6/2/26 9:43 AM, Lorenz Kofler wrote:
> CVE-2021-27138 was fixed by rejecting any FIT node whose name contains '@'.
> That stops libfdt's unit-address matching from resolving a reference such
> as "kernel" to a node named "kernel at 1".
> 
> Rejecting '@' outright, however, is a regression. We have a customer with
> signed FIT images deployed in the field that use '@' in node names, and
> with signature verification enabled those images are now rejected and fail
> to boot.
> 
> Such names are admittedly not ideal. The devicetree specification only
> allows a unit address when the node has a matching 'reg' property, and
> newer dtc versions warn about violations. New FIT images should therefore
> avoid such names, but existing deployed images still need to keep working.
> 
> This series fixes CVE-2021-27138 without that regression. The root cause is
> not the '@' character itself, but accepting a non-exact node-name match
> when resolving a FIT reference. Patch 1 hardens the lookups so the
> requested name and the resolved node name must match exactly: an inserted
> "kernel at 1" can no longer stand in for the "kernel" node. Patches 2 and 3
> then drop the now-redundant blanket '@' rejection.
> 
> Review is welcome, especially on whether I missed any place that looks up a
> FIT node by name.
> 
> Lorenz Kofler (3):
>    boot/fit: require exact subnode matches for FIT references
>    boot/fit: stop rejecting '@' during image and config verification
>    boot/fit: stop rejecting '@' during FIT format checking
> 
>   boot/image-fit-sig.c        | 21 +-----------
>   boot/image-fit.c            | 65 +++----------------------------------
>   common/spl/spl_fit.c        |  4 +--
>   include/image.h             | 28 ++++++++++++++++
>   test/py/tests/test_vboot.py |  7 ++--
>   5 files changed, 39 insertions(+), 86 deletions(-)
> 

-- 
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, Austria
UID/VAT Nr: ATU 66964118 | FN: 374287y

More information about the U-Boot mailing list