[PATCH v1 0/2] spl: fit: bound external data-size in load_simple_fit()

Aristo Chen aristo.chen at canonical.com
Thu Jun 18 17:47:45 CEST 2026 

This series closes a pre-authentication memory corruption window in
the SPL FIT loader. load_simple_fit() in common/spl/spl_fit.c reads
external image data from the boot device with a transfer sized from
the FIT data-size property, and only verifies the image hash after
the read has already happened. data-size is in the exc_prop[]
exclusion list in boot/image-fit-sig.c, so it is not covered by the
configuration signature and stays under the control of anyone able
to modify the boot medium even when CONFIG_SPL_FIT_SIGNATURE is on.
An inflated value drives info->read() into the destination before
fit_image_verify_with_data() can reject the image. The device-tree
overlay path is the sharpest case, because there the destination is
a fixed CONFIG_SPL_LOAD_FIT_APPLY_OVERLAY_BUF_SZ heap buffer rather
than a sized load region.

Patch 1 adds a max_size argument to load_simple_fit() and rejects
both the raw data-size and the block-aligned transfer length with
-EFBIG before the device read is issued. The data-size property is
read into an int, so a value with bit 31 set arrives as a negative
number, and comparing it as an unsigned quantity rejects that case
too. Callers that load into a memory region pass CONFIG_SYS_BOOTM_LEN,
the same limit spl_parse_legacy_validate() already applies to legacy
images. The overlay path passes the size of its temporary buffer.
The two guards share one diagnostic printf via a goto to a common
label so the bound check stays under the SPL SRAM budget on size
constrained boards such as am335x_hs_evm (CONFIG_SPL_MAX_SIZE =
0xb0b0). Measured cost on that defconfig is 57 bytes of .text,
leaving 114 bytes of headroom against the limit.

Patch 2 adds a sandbox regression test in test/image/spl_load.c. It
builds a FIT with external data, then rewrites the data-size
property in place to a value far beyond both the image buffer and
any plausible load region, and asserts that spl_load_simple_fit()
returns -EFBIG instead of overrunning the destination. Without the
fix the test crashes inside the test-harness read callback when
memcpy() walks past the small calloc'd image; with the fix the load
is rejected cleanly.

Verified on sandbox_spl_defconfig: the new test passes, and the full
SPL unit test suite reports 20 run, 1 skipped, 0 failures. Also
cross-built am335x_hs_evm_defconfig and am335x_hs_evm_spi_defconfig
with arm-linux-gnueabihf-, both within the SRAM budget.

Aristo Chen (2):
  spl: fit: bound the external data size before reading it
  test: spl: check load_simple_fit() rejects an oversized data-size

 common/spl/spl_fit.c  | 41 ++++++++++++++++++++++++++++++------
 test/image/spl_load.c | 49 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 6 deletions(-)

-- 
2.43.0

More information about the U-Boot mailing list