summaryrefslogtreecommitdiff
path: root/scripts/Makefile.extrawarn
diff options
context:
space:
mode:
authorAristo Chen <[email protected]>2026-07-05 03:44:10 +0000
committerTom Rini <[email protected]>2026-07-16 12:06:15 -0600
commita84c7670a698c1d42a6da7e713afdeaaa51eae46 (patch)
tree8beea4b20f7f2e6ed52bf430dd7c6b761549ee8b /scripts/Makefile.extrawarn
parenta8fc408cdfcbc3d8a04b493510a54d852f60550d (diff)
vbe: bound FIT external-data offset and size before blk_read
vbe_read_fit() loads a firmware-phase FIT from the trusted firmware area and then issues a blk_read() to pull in the image, and optionally an FDT, referenced by the FIT image node. The source offset on the device and the read length both come from the FIT's data-position or data-offset property and its data-size property, which live on mutable boot media and can be controlled by an attacker with prior write access to the firmware area. Without a range check the resulting blk_read() can read past the firmware area on the device and, on the non-SPL path, write an attacker-chosen number of blocks past the malloc(aligned_size) FIT buffer into adjacent memory. Only the SPL branch routes through spl_load_simple_fit(), which hashes the data. The external-data block reached from TPL or VPL, and from the bootflow path via abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), runs before any signature or hash check on the loaded phase. Confine the FIT-supplied [load_addr, load_addr + len) window to [addr, addr + area_size] before computing block numbers and lengths, and apply the same constraint to fdt_load_addr and fdt_size. The checks are written in subtraction-only form against the trusted area_size so the comparison itself cannot overflow. Reviewed-by: Simon Glass <[email protected]> Signed-off-by: Aristo Chen <[email protected]>
Diffstat (limited to 'scripts/Makefile.extrawarn')
0 files changed, 0 insertions, 0 deletions