diff options
| author | Aristo Chen <[email protected]> | 2026-07-05 03:44:10 +0000 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2026-07-16 12:06:15 -0600 |
| commit | a84c7670a698c1d42a6da7e713afdeaaa51eae46 (patch) | |
| tree | 8beea4b20f7f2e6ed52bf430dd7c6b761549ee8b /doc/develop | |
| parent | a8fc408cdfcbc3d8a04b493510a54d852f60550d (diff) | |
vbe: bound FIT external-data offset and size before blk_read
vbe_read_fit() loads a firmware-phase FIT from the trusted firmware area
and then issues a blk_read() to pull in the image, and optionally an
FDT, referenced by the FIT image node. The source offset on the device
and the read length both come from the FIT's data-position or data-offset
property and its data-size property, which live on mutable boot media
and can be controlled by an attacker with prior write access to the
firmware area.
Without a range check the resulting blk_read() can read past the
firmware area on the device and, on the non-SPL path, write an
attacker-chosen number of blocks past the malloc(aligned_size) FIT
buffer into adjacent memory. Only the SPL branch routes through
spl_load_simple_fit(), which hashes the data. The external-data block
reached from TPL or VPL, and from the bootflow path via
abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), runs before
any signature or hash check on the loaded phase.
Confine the FIT-supplied [load_addr, load_addr + len) window to
[addr, addr + area_size] before computing block numbers and lengths,
and apply the same constraint to fdt_load_addr and fdt_size. The checks
are written in subtraction-only form against the trusted area_size so
the comparison itself cannot overflow.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Aristo Chen <[email protected]>
Diffstat (limited to 'doc/develop')
0 files changed, 0 insertions, 0 deletions
