mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-04 13:39:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

u-boot: fix CVE-2020-8432 and CVE-2020-10648

Browse Source 
Backport fixes for CVE-2020-8432 and CVE-2020-10648 from upstream.

(From OE-Core rev: 9c6131bc46e233ea8e446c49bba4360ec06b7168)

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Scott Murray
2021-02-21 21:15:43 -05:00
committed by Richard Purdie
parent a50fe284b9
commit 514e6a9dad
4 changed files with 267 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch Normal file
View File

@@ -0,0 +1,98 @@
From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001
From: Simon Glass <sjg@chromium.org>
Date: Wed, 18 Mar 2020 11:44:01 -0600
Subject: [PATCH] image: Check hash-nodes when checking configurations
It is currently possible to use a different configuration's signature and
thus bypass the configuration check. Make sure that the configuration node
that was hashed matches the one being checked, to catch this problem.
Also add a proper function comment to fit_config_check_sig() and make it
static.
Signed-off-by: Simon Glass <sjg@chromium.org>
CVE: CVE-2020-10648
Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
common/image-sig.c | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/common/image-sig.c b/common/image-sig.c
index 13ccd50bc5..03143a4040 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
return 0;
}
-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
- char **err_msgp)
+/**
+ * fit_config_check_sig() - Check the signature of a config
+ *
+ * @fit: FIT to check
+ * @noffset: Offset of configuration node (e.g. /configurations/conf-1)
+ * @required_keynode: Offset in the control FDT of the required key node,
+ * if any. If this is given, then the configuration wil not
+ * pass verification unless that key is used. If this is
+ * -1 then any signature will do.
+ * @conf_noffset: Offset of the configuration subnode being checked (e.g.
+ * /configurations/conf-1/kernel)
+ * @err_msgp: In the event of an error, this will be pointed to a
+ * help error string to display to the user.
+ * @return 0 if all verified ok, <0 on error
+ */
+static int fit_config_check_sig(const void *fit, int noffset,
+ int required_keynode, int conf_noffset,
+ char **err_msgp)
{
char * const exc_prop[] = {"data"};
const char *prop, *end, *name;
struct image_sign_info info;
const uint32_t *strings;
+ const char *config_name;
uint8_t *fit_value;
int fit_value_len;
+ bool found_config;
int max_regions;
int i, prop_len;
char path[200];
int count;
+ config_name = fit_get_name(fit, conf_noffset, NULL);
debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
fit_get_name(fit, noffset, NULL),
fit_get_name(gd_fdt_blob(), required_keynode, NULL));
@@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
char *node_inc[count];
debug("Hash nodes (%d):\n", count);
+ found_config = false;
for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
debug(" '%s'\n", name);
node_inc[i] = (char *)name;
+ if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
+ name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
+ !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
+ debug(" (found config node %s)", config_name);
+ found_config = true;
+ }
+ }
+ if (!found_config) {
+ *err_msgp = "Selected config not in hashed nodes";
+ return -1;
}
/*
@@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
if (!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_check_sig(fit, noffset, sig_offset,
- &err_msg);
+ conf_noffset, &err_msg);
if (ret) {
puts("- ");
} else {

52
meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch Normal file
View File

@@ -0,0 +1,52 @@
From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001
From: Simon Glass <sjg@chromium.org>
Date: Wed, 18 Mar 2020 11:44:02 -0600
Subject: [PATCH] image: Load the correct configuration in fit_check_sign
At present bootm_host_load_images() is passed the configuration that has
been verified, but ignores it and just uses the default configuration.
This may not be the same.
Update this function to use the selected configuration.
Signed-off-by: Simon Glass <sjg@chromium.org>
CVE: CVE-2020-10648
Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
common/bootm.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/common/bootm.c b/common/bootm.c
index 902c13880d..db4362a643 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void)
#else /* USE_HOSTCC */
#if defined(CONFIG_FIT_SIGNATURE)
-static int bootm_host_load_image(const void *fit, int req_image_type)
+static int bootm_host_load_image(const void *fit, int req_image_type,
+ int cfg_noffset)
{
const char *fit_uname_config = NULL;
ulong data, len;
@@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type)
void *load_buf;
int ret;
+ fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
memset(&images, '\0', sizeof(images));
images.verify = 1;
noffset = fit_image_load(&images, (ulong)fit,
@@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset)
for (i = 0; i < ARRAY_SIZE(image_types); i++) {
int ret;
- ret = bootm_host_load_image(fit, image_types[i]);
+ ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
if (!err && ret && ret != -ENOENT)
err = ret;
}

114
meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch Normal file
View File

@@ -0,0 +1,114 @@
From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001
From: Tom Rini <trini@konsulko.com>
Date: Tue, 21 Jan 2020 11:53:38 -0500
Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly
New analysis by the tool has shown that we have some cases where we
weren't handling the error exit condition correctly. When we ran into
the ENOMEM case we wouldn't exit the function and thus incorrect things
could happen. Rework the unwinding such that we don't need a helper
function now and free what we may have allocated.
Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity")
Reported-by: Coverity (CID: 275475, 275476)
Cc: Alison Chaiken <alison@she-devel.com>
Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Cc: Jordy <jordy@simplyhacker.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
CVE: CVE-2020-8432
Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
cmd/gpt.c | 47 ++++++++++++-----------------------------------
1 file changed, 12 insertions(+), 35 deletions(-)
diff --git a/cmd/gpt.c b/cmd/gpt.c
index 0c4349f4b2..964702bad4 100644
--- a/cmd/gpt.c
+++ b/cmd/gpt.c
@@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc *dev_desc, char * const namestr)
}
#ifdef CONFIG_CMD_GPT_RENAME
-/*
- * There are 3 malloc() calls in set_gpt_info() and there is no info about which
- * failed.
- */
-static void set_gpt_cleanup(char **str_disk_guid,
- disk_partition_t **partitions)
-{
-#ifdef CONFIG_RANDOM_UUID
- if (str_disk_guid)
- free(str_disk_guid);
-#endif
- if (partitions)
- free(partitions);
-}
-
static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
char *name1, char *name2)
{
@@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
struct disk_part *curr;
disk_partition_t *new_partitions = NULL;
char disk_guid[UUID_STR_LEN + 1];
- char *partitions_list, *str_disk_guid;
+ char *partitions_list, *str_disk_guid = NULL;
u8 part_count = 0;
int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0;
@@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
/* set_gpt_info allocates new_partitions and str_disk_guid */
ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid,
&new_partitions, &part_count);
- if (ret < 0) {
- del_gpt_info();
- free(partitions_list);
- if (ret == -ENOMEM)
- set_gpt_cleanup(&str_disk_guid, &new_partitions);
- else
- goto out;
- }
+ if (ret < 0)
+ goto out;
if (!strcmp(subcomm, "swap")) {
if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) {
@@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
* Even though valid pointers are here passed into set_gpt_info(),
* it mallocs again, and there's no way to tell which failed.
*/
- if (ret < 0) {
- del_gpt_info();
- free(partitions_list);
- if (ret == -ENOMEM)
- set_gpt_cleanup(&str_disk_guid, &new_partitions);
- else
- goto out;
- }
+ if (ret < 0)
+ goto out;
debug("Writing new partition table\n");
ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts);
@@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
}
printf("new partition table with %d partitions is:\n", numparts);
print_gpt_info();
- del_gpt_info();
out:
- free(new_partitions);
- free(str_disk_guid);
+ del_gpt_info();
+#ifdef CONFIG_RANDOM_UUID
+ if (str_disk_guid)
+ free(str_disk_guid);
+#endif
+ if (new_partitions)
+ free(new_partitions);
free(partitions_list);
return ret;
}

3
meta/recipes-bsp/u-boot/u-boot-common.inc
View File

@@ -16,6 +16,9 @@ SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
SRC_URI = "git://git.denx.de/u-boot.git \
file://remove-redundant-yyloc-global.patch \
file://CVE-2020-8432.patch \
file://CVE-2020-10648-1.patch \
file://CVE-2020-10648-2.patch \
"
S = "${WORKDIR}/git"