[RFC PATCH 0/3] boot/fit: fix CVE-2021-27138 while keeping '@' node names

Lorenz Kofler lorenz at sigma-star.at
Wed Jun 10 12:15:10 CEST 2026 

On 6/8/26 4:20 PM, Tom Rini wrote:
> On Mon, Jun 08, 2026 at 11:10:22AM +0200, Lorenz Kofler wrote:
>> Hello!
>>
>> Gentle ping :) Any feedback on this patch?
>>
>> On 6/2/26 9:43 AM, Lorenz Kofler wrote:
>>> CVE-2021-27138 was fixed by rejecting any FIT node whose name contains '@'.
>>> That stops libfdt's unit-address matching from resolving a reference such
>>> as "kernel" to a node named "kernel at 1".
>>>
>>> Rejecting '@' outright, however, is a regression. We have a customer with
>>> signed FIT images deployed in the field that use '@' in node names, and
>>> with signature verification enabled those images are now rejected and fail
>>> to boot.
>>>
>>> Such names are admittedly not ideal. The devicetree specification only
>>> allows a unit address when the node has a matching 'reg' property, and
>>> newer dtc versions warn about violations. New FIT images should therefore
>>> avoid such names, but existing deployed images still need to keep working.
>>>
>>> This series fixes CVE-2021-27138 without that regression. The root cause is
>>> not the '@' character itself, but accepting a non-exact node-name match
>>> when resolving a FIT reference. Patch 1 hardens the lookups so the
>>> requested name and the resolved node name must match exactly: an inserted
>>> "kernel at 1" can no longer stand in for the "kernel" node. Patches 2 and 3
>>> then drop the now-redundant blanket '@' rejection.
>>>
>>> Review is welcome, especially on whether I missed any place that looks up a
>>> FIT node by name.
> 
> I think it's good to have made this public, for anyone else that's in a
> similar situation, but that the migration path for deployed systems here
> should include a step migration away from deprecated images. We're a bit
> more than 5 years past the original fix and so while I would have been
> open to this change in 2021, or maybe even early 2022, it's just too
> late at this point.
> 

Ah yes, that makes sense.

Thanks!
Lorenz

-- 
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, Austria
UID/VAT Nr: ATU 66964118 | FN: 374287y

More information about the U-Boot mailing list