At present this function does not accept a size for the FIT. This means
that it must be read from the FIT itself, introducing potential security
risk. Update the function to include a size parameter, which can be
invalid, in which case fit_check_format() calculates it.
For now no callers pass the size, but this can be updated later.
Also adjust the return value to an error code so that all the different
types of problems can be distinguished by the user.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
This patch includes this one as well:
https://github.com/u-boot/u-boot/commit/
ea1a9ec5f430359720d9a0621ed1acfbba6a142a.patch
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/
c5819701a3de61e2ba2ef7ad0b616565b32305e5
Origin: https://github.com/u-boot/u-boot/commit/
ea1a9ec5f430359720d9a0621ed1acfbba6a142a
Bug: https://github.com/advisories/GHSA-3w66-96j7-fmcp
Bug-Debian: https://bugs.debian.org/983270
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27097
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27097
Gbp-Pq: Name CVE-2021-27097-2.patch
return false;
}
- if (!fit_check_format(sec_firmware_img)) {
+ if (fit_check_format(sec_firmware_img, IMAGE_SIZE_INVAL)) {
printf("SEC Firmware: Bad firmware image (bad FIT header)\n");
return false;
}
case IMAGE_FORMAT_FIT:
puts(" FIT image found\n");
- if (!fit_check_format(hdr)) {
+ if (fit_check_format(hdr, IMAGE_SIZE_INVAL)) {
puts("Bad FIT image format!\n");
unmap_sysmem(hdr);
return 1;
#endif
#if defined(CONFIG_FIT)
case IMAGE_FORMAT_FIT:
- if (!fit_check_format(hdr))
+ if (fit_check_format(hdr, IMAGE_SIZE_INVAL))
goto next_sector;
printf("FIT Image at %08lX:\n", (ulong)hdr);
return ret;
}
- if (!fit_check_format(imgdata)) {
+ if (fit_check_format(imgdata, IMAGE_SIZE_INVAL)) {
free(imgdata);
return 0;
}
/* This cannot be done earlier,
* we need complete FIT image in RAM first */
if (genimg_get_format((void *) addr) == IMAGE_FORMAT_FIT) {
- if (!fit_check_format(fit_hdr)) {
+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
bootstage_error(BOOTSTAGE_ID_IDE_FIT_READ);
puts("** Bad FIT image format\n");
return 1;
return CMD_RET_FAILURE;
}
- if (!fit_check_format(fit_hdr)) {
+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
puts("Bad FIT image format\n");
return CMD_RET_FAILURE;
}
#if defined(CONFIG_FIT)
/* This cannot be done earlier, we need complete FIT image in RAM first */
if (genimg_get_format ((void *)addr) == IMAGE_FORMAT_FIT) {
- if (!fit_check_format (fit_hdr)) {
+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
bootstage_error(BOOTSTAGE_ID_NAND_FIT_READ);
puts ("** Bad FIT image format\n");
return 1;
#if defined(CONFIG_FIT)
case IMAGE_FORMAT_FIT:
fit_hdr = buf;
- if (!fit_check_format (fit_hdr)) {
+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
puts ("Bad FIT image format\n");
return 1;
}
"at %08lx ...\n", uname, addr);
fit_hdr = (const void *)addr;
- if (!fit_check_format(fit_hdr)) {
+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
puts("Bad FIT image format\n");
return 1;
}
*/
#if CONFIG_IS_ENABLED(FIT)
/* check FDT blob vs FIT blob */
- if (fit_check_format(buf)) {
+ if (!fit_check_format(buf, IMAGE_SIZE_INVAL)) {
ulong load, len;
fdt_noffset = boot_get_fdt_fit(images,
* Wolfgang Denk, DENX Software Engineering, wd@denx.de.
*/
+#define LOG_CATEGORY LOGC_BOOT
+
#ifdef USE_HOSTCC
#include "mkimage.h"
#include <time.h>
return (comp == image_comp);
}
-/**
- * fit_check_format - sanity check FIT image format
- * @fit: pointer to the FIT format image header
- *
- * fit_check_format() runs a basic sanity FIT image verification.
- * Routine checks for mandatory properties, nodes, etc.
- *
- * returns:
- * 1, on success
- * 0, on failure
- */
-int fit_check_format(const void *fit)
+int fit_check_format(const void *fit, ulong size)
{
+ int ret;
+
+ /* A FIT image must be a valid FDT */
+ ret = fdt_check_header(fit);
+ if (ret) {
+ log_debug("Wrong FIT format: not a flattened device tree (err=%d)\n",
+ ret);
+ return -ENOEXEC;
+ }
+
/* mandatory / node 'description' property */
- if (fdt_getprop(fit, 0, FIT_DESC_PROP, NULL) == NULL) {
- debug("Wrong FIT format: no description\n");
- return 0;
+ if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
+ log_debug("Wrong FIT format: no description\n");
+ return -ENOMSG;
}
if (IMAGE_ENABLE_TIMESTAMP) {
/* mandatory / node 'timestamp' property */
- if (fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL) == NULL) {
- debug("Wrong FIT format: no timestamp\n");
- return 0;
+ if (!fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL)) {
+ log_debug("Wrong FIT format: no timestamp\n");
+ return -ENODATA;
}
}
/* mandatory subimages parent '/images' node */
if (fdt_path_offset(fit, FIT_IMAGES_PATH) < 0) {
- debug("Wrong FIT format: no images parent node\n");
- return 0;
+ log_debug("Wrong FIT format: no images parent node\n");
+ return -ENOENT;
}
- return 1;
+ return 0;
}
printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
- if (!fit_check_format(fit)) {
+ if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
printf("Bad FIT %s image format!\n", prop_name);
bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
return -ENOEXEC;
if (res < 0)
return res;
- res = fit_check_format(fit_header);
- if (!res) {
+ res = fit_check_format(fit_header, IMAGE_SIZE_INVAL);
+ if (res) {
debug("Could not find valid FIT image\n");
- return -EINVAL;
+ return res;
}
/* Get the splash image node */
got_update_file:
fit = map_sysmem(addr, 0);
- if (!fit_check_format((void *)fit)) {
+ if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) {
printf("Bad FIT format of the update file, aborting "
"auto-update\n");
return 1;
if (!fit)
return -EINVAL;
- if (!fit_check_format((void *)fit)) {
+ if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) {
printf("Bad FIT format of the update file, aborting auto-update\n");
return -EINVAL;
}
if (ret < 0)
return ret;
- ret = fit_check_format(buffer_p);
- if (!ret) {
+ ret = fit_check_format(buffer_p, IMAGE_SIZE_INVAL);
+ if (ret) {
debug("FPGA: No valid FIT image was found.\n");
- return -EBADF;
+ return ret;
}
confs_noffset = fdt_path_offset(buffer_p, FIT_CONFS_PATH);
return -EINVAL;
}
- if (!fit_check_format(fit_hdr)) {
+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
printf("fsl-mc: ERR: Bad firmware image (bad FIT header)\n");
return -EINVAL;
}
return ret;
}
- if (!fit_check_format(pfe_fit_addr)) {
+ if (fit_check_format(pfe_fit_addr, IMAGE_SIZE_INVAL)) {
printf("PFE Firmware: Bad firmware image (bad FIT header)\n");
ret = -1;
return ret;
extern ulong image_save_addr; /* Default Save Address */
extern ulong image_save_size; /* Default Save Size */
+/* An invalid size, meaning that the image size is not known */
+#define IMAGE_SIZE_INVAL (-1UL)
+
enum ih_category {
IH_ARCH,
IH_COMP,
int fit_image_check_arch(const void *fit, int noffset, uint8_t arch);
int fit_image_check_type(const void *fit, int noffset, uint8_t type);
int fit_image_check_comp(const void *fit, int noffset, uint8_t comp);
-int fit_check_format(const void *fit);
+
+/**
+ * fit_check_format() - Check that the FIT is valid
+ *
+ * This performs various checks on the FIT to make sure it is suitable for
+ * use, looking for mandatory properties, nodes, etc.
+ *
+ * If FIT_FULL_CHECK is enabled, it also runs it through libfdt to make
+ * sure that there are no strange tags or broken nodes in the FIT.
+ *
+ * @fit: pointer to the FIT format image header
+ * @return 0 if OK, -ENOEXEC if not an FDT file, -EINVAL if the full FDT check
+ * failed (e.g. due to bad structure), -ENOMSG if the description is
+ * missing, -ENODATA if the timestamp is missing, -ENOENT if the /images
+ * path is missing
+ */
+int fit_check_format(const void *fit, ulong size);
int fit_conf_find_compat(const void *fit, const void *fdt);
int fit_verify_header(unsigned char *ptr, int image_size,
struct image_tool_params *params)
{
- if (fdt_check_header(ptr) != EXIT_SUCCESS || !fit_check_format(ptr))
+ if (fdt_check_header(ptr) != EXIT_SUCCESS ||
+ fit_check_format(ptr, IMAGE_SIZE_INVAL))
return EXIT_FAILURE;
return EXIT_SUCCESS;
/* Indent string is defined in header image.h */
p = IMAGE_INDENT_STRING;
- if (!fit_check_format(fit)) {
+ if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
printf("Bad FIT image format\n");
return -1;
}
#define debug(fmt,args...)
#endif /* MKIMAGE_DEBUG */
+#define log_debug(fmt, args...) debug(fmt, ##args)
+
static inline void *map_sysmem(ulong paddr, unsigned long len)
{
return (void *)(uintptr_t)paddr;
projects / u-boot.git / commitdiff