[PATCH v3] image-fit-sig: Validate hashed-strings region size

[Anton Ivanov]

fit_config_check_sig() reads the hashed-strings property and uses
its size value without validation when building the region list for
signature verification. A crafted FIT image can specify an arbitrary
size, causing the hash calculation to read beyond the end of the FIT
image.

Validate that the declared strings region fits within the FIT
before adding it to the region list.

Signed-off-by: Anton Ivanov <anton at binarly.io>
---
Changes in v3:
- Update From and Signed-off-by to personal email

Changes in v2:
- Rewrite commit message to be concise per maintainer feedback

 boot/image-fit-sig.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 433df20281f..bdfb5e3eb7c 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -512,8 +512,18 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset,
 		 * The strings region offset must be a static 0x0.
 		 * This is set in tool/image-host.c
 		 */
-		fdt_regions[count].offset = fdt_off_dt_strings(fit);
-		fdt_regions[count].size = fdt32_to_cpu(strings[1]);
+		int offset = fdt_off_dt_strings(fit);
+		int size = fdt32_to_cpu(strings[1]);
+		/*
+		 * The offset should be already validated by fdt_check_header();
+		 * validate the size here.
+		 */
+		if (size < 0 || size > fdt_totalsize(fit) - offset) {
+			*err_msgp = "Strings region is out of bounds";
+			return -1;
+		}
+		fdt_regions[count].offset = offset;
+		fdt_regions[count].size = size;
 		count++;
 	}
 
-- 
2.53.0