From: Binarly Vulnerability Research <[email protected]> fit_config_check_sig() reads the hashed-strings property and uses its size value without validation when building the region list for signature verification. A crafted FIT image can specify an arbitrary size, causing the hash calculation to read beyond the end of the FIT image.
Validate that the declared strings region fits within the FIT before adding it to the region list. Signed-off-by: Binarly Vulnerability Research <[email protected]> --- Changes in v2: - Rewrite commit message to be concise per maintainer feedback boot/image-fit-sig.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index 433df20281f..bdfb5e3eb7c 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -512,8 +512,18 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset, * The strings region offset must be a static 0x0. * This is set in tool/image-host.c */ - fdt_regions[count].offset = fdt_off_dt_strings(fit); - fdt_regions[count].size = fdt32_to_cpu(strings[1]); + int offset = fdt_off_dt_strings(fit); + int size = fdt32_to_cpu(strings[1]); + /* + * The offset should be already validated by fdt_check_header(); + * validate the size here. + */ + if (size < 0 || size > fdt_totalsize(fit) - offset) { + *err_msgp = "Strings region is out of bounds"; + return -1; + } + fdt_regions[count].offset = offset; + fdt_regions[count].size = size; count++; } -- 2.53.0
