poky/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch - stefanberger/openbmc - Gitiles

 From 8a7d4cf9820ea16fabd25a6379351b4dc291204b Mon Sep 17 00:00:00 2001
 From: Simon Glass <sjg@chromium.org>
 Date: Mon, 15 Feb 2021 17:08:05 -0700
 Subject: [PATCH] fdt_region: Check for a single root node of the correct name

 At present fdt_find_regions() assumes that the FIT is a valid devicetree.
 If the FIT has two root nodes this is currently not detected in this
 function, nor does libfdt's fdt_check_full() notice. Also it is possible
 for the root node to have a name even though it should not.

 Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
 detected.

 CVE-2021-27097

 Signed-off-by: Simon Glass <sjg@chromium.org>
 Reported-by: Bruce Monroe <bruce.monroe@intel.com>
 Reported-by: Arie Haenel <arie.haenel@intel.com>
 Reported-by: Julien Lenoir <julien.lenoir@intel.com>

 CVE: CVE-2021-27097
 Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b]
 Signed-off-by: Scott Murray <scott.murray@konsulko.com>

 ---
  common/fdt_region.c | 11 +++++++++++
  1 file changed, 11 insertions(+)

 diff --git a/common/fdt_region.c b/common/fdt_region.c
 index ff12c518e9..e4ef0ca770 100644
 --- a/common/fdt_region.c
 +++ b/common/fdt_region.c
 @@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
  	int depth = -1;
  	int want = 0;
  	int base = fdt_off_dt_struct(fdt);
 +	bool expect_end = false;

  	end = path;
  	*end = '\0';
 @@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
  		tag = fdt_next_tag(fdt, offset, &nextoffset);
  		stop_at = nextoffset;

 +		/* If we see two root nodes, something is wrong */
 +		if (expect_end && tag != FDT_END)
 +			return -FDT_ERR_BADLAYOUT;
 +
  		switch (tag) {
  		case FDT_PROP:
  			include = want >= 2;
 @@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
  			if (depth == FDT_MAX_DEPTH)
  				return -FDT_ERR_BADSTRUCTURE;
  			name = fdt_get_name(fdt, offset, &len);
 +
 +			/* The root node must have an empty name */
 +			if (!depth && *name)
 +				return -FDT_ERR_BADLAYOUT;
  			if (end - path + 2 + len >= path_len)
  				return -FDT_ERR_NOSPACE;
  			if (end != path + 1)
 @@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count,
  			while (end > path && *--end != '/')
  				;
  			*end = '\0';
 +			if (depth == -1)
 +				expect_end = true;
  			break;

  		case FDT_END:
	From 8a7d4cf9820ea16fabd25a6379351b4dc291204b Mon Sep 17 00:00:00 2001
	From: Simon Glass <sjg@chromium.org>
	Date: Mon, 15 Feb 2021 17:08:05 -0700
	Subject: [PATCH] fdt_region: Check for a single root node of the correct name

	At present fdt_find_regions() assumes that the FIT is a valid devicetree.
	If the FIT has two root nodes this is currently not detected in this
	function, nor does libfdt's fdt_check_full() notice. Also it is possible
	for the root node to have a name even though it should not.

	Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
	detected.

	CVE-2021-27097

	Signed-off-by: Simon Glass <sjg@chromium.org>
	Reported-by: Bruce Monroe <bruce.monroe@intel.com>
	Reported-by: Arie Haenel <arie.haenel@intel.com>
	Reported-by: Julien Lenoir <julien.lenoir@intel.com>

	CVE: CVE-2021-27097
	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b]
	Signed-off-by: Scott Murray <scott.murray@konsulko.com>

	---
	common/fdt_region.c \| 11 +++++++++++
	1 file changed, 11 insertions(+)

	diff --git a/common/fdt_region.c b/common/fdt_region.c
	index ff12c518e9..e4ef0ca770 100644
	--- a/common/fdt_region.c
	+++ b/common/fdt_region.c
	@@ -43,6 +43,7 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	int depth = -1;
	int want = 0;
	int base = fdt_off_dt_struct(fdt);
	+ bool expect_end = false;

	end = path;
	*end = '\0';
	@@ -59,6 +60,10 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	tag = fdt_next_tag(fdt, offset, &nextoffset);
	stop_at = nextoffset;

	+ /* If we see two root nodes, something is wrong */
	+ if (expect_end && tag != FDT_END)
	+ return -FDT_ERR_BADLAYOUT;
	+
	switch (tag) {
	case FDT_PROP:
	include = want >= 2;
	@@ -81,6 +86,10 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	if (depth == FDT_MAX_DEPTH)
	return -FDT_ERR_BADSTRUCTURE;
	name = fdt_get_name(fdt, offset, &len);
	+
	+ /* The root node must have an empty name */
	+ if (!depth && *name)
	+ return -FDT_ERR_BADLAYOUT;
	if (end - path + 2 + len >= path_len)
	return -FDT_ERR_NOSPACE;
	if (end != path + 1)
	@@ -108,6 +117,8 @@ int fdt_find_regions(const void fdt, char const inc[], int inc_count,
	while (end > path && *--end != '/')
	;
	*end = '\0';
	+ if (depth == -1)
	+ expect_end = true;
	break;

	case FDT_END: