summaryrefslogtreecommitdiff
path: root/common/image-sig.c
diff options
context:
space:
mode:
authorTeddy Reed <teddy.reed@gmail.com>2018-06-09 11:38:05 -0400
committerTom Rini <trini@konsulko.com>2018-07-10 16:55:58 -0400
commit72239fc85f3eda078547956608c063ab965e90e9 (patch)
treec4184de3db8760dafc7086c02e989ad208b85304 /common/image-sig.c
parent894c3ad27fa940beb7fdc07d01dcfe81c03d0481 (diff)
downloadu-boot-72239fc85f3eda078547956608c063ab965e90e9.tar.gz
vboot: Add FIT_SIGNATURE_MAX_SIZE protection
This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the max size of a FIT header's totalsize field. The field is checked before signature checks are applied to protect from reading past the intended FIT regions. This field is not part of the vboot signature so it should be sanity checked. If the field is corrupted then the structure or string region reads may have unintended behavior, such as reading from device memory. A default value of 256MB is set and intended to support most max storage sizes. Suggested-by: Simon Glass <sjg@chromium.org> Signed-off-by: Teddy Reed <teddy.reed@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'common/image-sig.c')
-rw-r--r--common/image-sig.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/common/image-sig.c b/common/image-sig.c
index f65d883994..8d2fd10db6 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -156,6 +156,11 @@ static int fit_image_setup_verify(struct image_sign_info *info,
{
char *algo_name;
+ if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
+ *err_msgp = "Total size too large";
+ return 1;
+ }
+
if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
*err_msgp = "Can't get hash algo property";
return -1;