fit_image_get_data() uses the data-position, data-offset, and data-size FIT properties without bounds checking. A crafted FIT image can specify values that cause out-of-bounds reads during hash calculation for signature verification.
Validate that the external data offset and size are non-negative, and that the data region fits within the FIT image bounds. Signed-off-by: Anton Ivanov <[email protected]> --- Changes in v3: - Update From and Signed-off-by to personal email Changes in v2: - Rewrite commit message to be concise per maintainer feedback boot/image-fit.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/boot/image-fit.c b/boot/image-fit.c index b0fcaf6e17f..4d0e8ffc79f 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -1084,8 +1084,24 @@ int fit_image_get_data(const void *fit, int noffset, const void **data, if (external_data) { debug("External Data\n"); + if (offset < 0 || offset > UINTPTR_MAX - (uintptr_t)fit) { + printf("Invalid external data offset: %d\n", offset); + return -1; + } + ret = fit_image_get_data_size(fit, noffset, &len); if (!ret) { + if (len < 0) { + printf("Invalid external data size: %d\n", len); + return -1; + } +#if CONFIG_IS_ENABLED(FIT_SIGNATURE) + if (len > CONFIG_VAL(FIT_SIGNATURE_MAX_SIZE) - offset) { + printf("FIT external data is out of bounds (offset=%d, size=%d)\n", + offset, len); + return -1; + } +#endif *data = fit + offset; *size = len; } -- 2.53.0
