summaryrefslogtreecommitdiff
path: root/common/dlmalloc.src
diff options
context:
space:
mode:
authorTom Rini <[email protected]>2026-07-16 12:06:40 -0600
committerTom Rini <[email protected]>2026-07-16 12:06:40 -0600
commit91303d8a663248e15bd76801778ff709e490d88d (patch)
tree93ec44f926d18a6cbff37b9261872dbd0a7ea2a0 /common/dlmalloc.src
parenta5ef1849394de475ee3bb9ebfc7629b4dd3b746a (diff)
parent9fa00f563bea7ac4a4fda3220e05b21ebd4a242f (diff)
Merge patch series "vbe: bound FIT external-data reads against the firmware area"
Aristo Chen <[email protected]> says: vbe_read_fit() loads a firmware-phase FIT from a fixed firmware area on a block device and then issues a follow-up blk_read() to pull in the image, and optionally an FDT, referenced by the FIT's image node. The source offset on the device and the read length both come from the FIT itself, via data-position or data-offset and data-size. Those properties live on mutable boot media and can be controlled by an attacker with write access to the firmware area. On the TPL or VPL path, and on the bootmeth bootflow path reached via abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), the follow-up blk_read() runs before any signature or hash check on the loaded phase. Patch 1 is a sandbox test-tree preparation. The firmware1 node in arch/sandbox/dts/test.dts declared area-size = 0xe00000 (14 MiB), but the binman fw-update section in sandbox_vpl.dtsi is 32 MiB and the FIT inside it carries ~16 MiB of external data, so the FIT already extended past the declared area. The mismatch was tolerated because no caller bounded the external-data load against area_size. Patch 1 raises area-size to match the binman section size so test_vbe_vpl keeps passing once the bound is enforced. The patches are ordered so the test is never broken in the middle of the series. Patch 2 adds the missing range check, confining the FIT-supplied [load_addr, load_addr + len) window to [addr, addr + area_size] before block numbers and lengths are computed, and applying the same constraint to fdt_load_addr and fdt_size. The check is written in subtraction-only form against the trusted area_size so the comparison cannot itself overflow. Patch 3 adds two sandbox unit tests under test/boot/ that construct synthetic FITs with out-of-range data-position and oversized data-size, write them to mmc1, and confirm vbe_read_fit() returns -E2BIG for each before issuing the follow-up blk_read(). Deferring the external-data blk_read() until after the phase has been signature-verified would be a stronger structural fix and was discussed on the v1 thread. Simon confirmed the bounded read is the right first step and that the verify-then-load change should be a separate series, so this v3 stays scoped to the bound. Link: https://lore.kernel.org/r/[email protected]
Diffstat (limited to 'common/dlmalloc.src')
0 files changed, 0 insertions, 0 deletions