[PATCH v1 0/2] vbe: bound FIT external-data reads against the firmware area

Aristo Chen aristo.chen at canonical.com
Sun Jun 21 16:39:32 CEST 2026 

vbe_read_fit() loads a firmware-phase FIT from a fixed firmware area on
a block device and then issues a follow-up blk_read() to pull in the
image, and optionally an FDT, referenced by the FIT's image node. The
source offset on the device and the read length both come from the FIT
itself, via data-position or data-offset and data-size. Those properties
live on mutable boot media and can be controlled by an attacker with
write access to the firmware area. On the TPL or VPL path, and on the
bootmeth bootflow path reached via abrec_read_bootflow_fw() and
vbe_simple_read_bootflow_fw(), the follow-up blk_read() runs before any
signature or hash check on the loaded phase.

Patch 1 is a sandbox test-tree preparation. The firmware1 node in
arch/sandbox/dts/test.dts declared area-size = 0xe00000 (14 MiB), but
the binman fw-update section in sandbox_vpl.dtsi is 32 MiB and the FIT
inside it carries ~16 MiB of external data, so the FIT already extended
past the declared area. The mismatch was tolerated because no caller
bounded the external-data load against area_size. Patch 1 raises
area-size to match the binman section size so test_vbe_vpl keeps passing
once the bound is enforced. The patches are ordered so the test is never
broken in the middle of the series.

Patch 2 adds the missing range check, confining the FIT-supplied
[load_addr, load_addr + len) window to [addr, addr + area_size] before
block numbers and lengths are computed, and applying the same constraint
to fdt_load_addr and fdt_size. The check is written in subtraction-only
form against the trusted area_size so the comparison cannot itself
overflow.

One open question: should the external-data blk_read() in vbe_read_fit()
also be deferred until after the phase has been signature-verified,
rather than just bounded? Patch 2 hardens the load step, but moving
verification earlier would be a stronger structural fix. Happy to follow
up with a separate change if that is preferred.

Aristo Chen (2):
  sandbox: vbe: size firmware1 area to fit the binman fw-update section
  vbe: bound FIT external-data offset and size before blk_read

 arch/sandbox/dts/test.dts |  2 +-
 boot/vbe_common.c         | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

-- 
2.43.0

More information about the U-Boot mailing list