[PATCH v1 2/2] vbe: bound FIT external-data offset and size before blk_read
Simon Glass
sjg at chromium.org
Thu Jun 25 10:03:36 CEST 2026
On 2026-06-21T14:39:32, Aristo Chen <aristo.chen at canonical.com> wrote:
> vbe: bound FIT external-data offset and size before blk_read
>
> vbe_read_fit() loads a firmware-phase FIT from the trusted firmware area
> and then issues a blk_read() to pull in the image, and optionally an
> FDT, referenced by the FIT image node. The source offset on the device
> and the read length both come from the FIT's data-position or data-offset
> property and its data-size property, which live on mutable boot media
> and can be controlled by an attacker with prior write access to the
> firmware area.
>
> Without a range check the resulting blk_read() can read past the
> firmware area on the device and, on the non-SPL path, write an
> attacker-chosen number of blocks past the malloc(aligned_size) FIT
> buffer into adjacent memory. Only the SPL branch routes through
> spl_load_simple_fit(), which hashes the data. The external-data block
> reached from TPL or VPL, and from the bootflow path via
> abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), runs before
> any signature or hash check on the loaded phase.
>
> Confine the FIT-supplied [load_addr, load_addr + len) window to
> [addr, addr + area_size] before computing block numbers and lengths,
> and apply the same constraint to fdt_load_addr and fdt_size. The checks
> are written in subtraction-only form against the trusted area_size so
> the comparison itself cannot overflow.
>
> Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
>
> boot/vbe_common.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
Reviewed-by: Simon Glass <sjg at chromium.org>
More information about the U-Boot
mailing list