fdt_check_no_at() recurses into every subnode without a depth limit. A deeply nested FIT image can exhaust the stack and crash U-Boot during signature verification of an untrusted FIT.
Add a depth check using FDT_MAX_DEPTH to bound the recursion. Signed-off-by: Anton Ivanov <[email protected]> --- Changes in v4: - Clarify vulnerability reachability in the commit message Changes in v3: - Update From and Signed-off-by to personal email Changes in v2: - Rewrite commit message to be concise per maintainer feedback boot/image-fit.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/boot/image-fit.c b/boot/image-fit.c index b0fcaf6e17f..0e225ecd0c2 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -41,6 +41,7 @@ DECLARE_GLOBAL_DATA_PTR; #include <bootm.h> #include <image.h> #include <bootstage.h> +#include <fdt_region.h> #include <upl.h> #include <u-boot/crc.h> @@ -1643,20 +1644,24 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp) * * @fit: FIT to check * @parent: Parent node to check - * Return: 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@' + * @depth: Current recursion depth + * Return: 0 if OK, or error value */ -static int fdt_check_no_at(const void *fit, int parent) +static int fdt_check_no_at(const void *fit, int parent, int depth) { const char *name; int node; int ret; + if (depth >= FDT_MAX_DEPTH) + return -FDT_ERR_BADSTRUCTURE; + name = fdt_get_name(fit, parent, NULL); if (!name || strchr(name, '@')) return -EADDRNOTAVAIL; fdt_for_each_subnode(node, fit, parent) { - ret = fdt_check_no_at(fit, node); + ret = fdt_check_no_at(fit, node, depth + 1); if (ret) return ret; } @@ -1696,7 +1701,7 @@ int fit_check_format(const void *fit, ulong size) * attached. Protect against this by disallowing unit addresses. */ if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) { - ret = fdt_check_no_at(fit, 0); + ret = fdt_check_no_at(fit, 0, 0); if (ret) { log_debug("FIT check error %d\n", ret); -- 2.53.0
