Blame - poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-4.patch - openbmc/openbmc

blob: 060cac1cf66aac72fec5170948e374b670160fb6 [file] [log] [blame]

Andrew Geissler	95ac1b8	2021-03-31 14:34:31 -0500	[diff] [blame^]	1	From 124c255731c76a2b09587378b2bcce561bcd3f2d Mon Sep 17 00:00:00 2001
				2	From: Simon Glass <sjg@chromium.org>
				3	Date: Mon, 15 Feb 2021 17:08:11 -0700
				4	Subject: [PATCH] libfdt: Check for multiple/invalid root nodes
				5
				6	It is possible to construct a devicetree blob with multiple root nodes.
				7	Update fdt_check_full() to check for this, along with a root node with an
				8	invalid name.
				9
				10	CVE-2021-27097
				11
				12	Signed-off-by: Simon Glass <sjg@chromium.org>
				13	Reported-by: Bruce Monroe <bruce.monroe@intel.com>
				14	Reported-by: Arie Haenel <arie.haenel@intel.com>
				15	Reported-by: Julien Lenoir <julien.lenoir@intel.com>
				16
				17	CVE: CVE-2021-27097
				18	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/124c255731c76a2b09587378b2bcce561bcd3f2d]
				19	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
				20
				21	---
				22	scripts/dtc/libfdt/fdt_ro.c \| 17 +++++++++++++++++
				23	test/py/tests/test_vboot.py \| 3 ++-
				24	2 files changed, 19 insertions(+), 1 deletion(-)
				25
				26	diff --git a/scripts/dtc/libfdt/fdt_ro.c b/scripts/dtc/libfdt/fdt_ro.c
				27	index d984bab036..efe7efe921 100644
				28	--- a/scripts/dtc/libfdt/fdt_ro.c
				29	+++ b/scripts/dtc/libfdt/fdt_ro.c
				30	@@ -867,6 +867,7 @@ int fdt_check_full(const void *fdt, size_t bufsize)
				31	unsigned depth = 0;
				32	const void *prop;
				33	const char *propname;
				34	+ bool expect_end = false;
				35
				36	if (bufsize < FDT_V1_SIZE)
				37	return -FDT_ERR_TRUNCATED;
				38	@@ -887,6 +888,10 @@ int fdt_check_full(const void *fdt, size_t bufsize)
				39	if (nextoffset < 0)
				40	return nextoffset;
				41
				42	+ /* If we see two root nodes, something is wrong */
				43	+ if (expect_end && tag != FDT_END)
				44	+ return -FDT_ERR_BADLAYOUT;
				45	+
				46	switch (tag) {
				47	case FDT_NOP:
				48	break;
				49	@@ -900,12 +905,24 @@ int fdt_check_full(const void *fdt, size_t bufsize)
				50	depth++;
				51	if (depth > INT_MAX)
				52	return -FDT_ERR_BADSTRUCTURE;
				53	+
				54	+ /* The root node must have an empty name */
				55	+ if (depth == 1) {
				56	+ const char *name;
				57	+ int len;
				58	+
				59	+ name = fdt_get_name(fdt, offset, &len);
				60	+ if (*name \|\| len)
				61	+ return -FDT_ERR_BADLAYOUT;
				62	+ }
				63	break;
				64
				65	case FDT_END_NODE:
				66	if (depth == 0)
				67	return -FDT_ERR_BADSTRUCTURE;
				68	depth--;
				69	+ if (depth == 0)
				70	+ expect_end = true;
				71	break;
				72
				73	case FDT_PROP: