Hello! Gentle ping :) Any feedback on this patch?
On 6/2/26 9:43 AM, Lorenz Kofler wrote:
CVE-2021-27138 was fixed by rejecting any FIT node whose name contains '@'. That stops libfdt's unit-address matching from resolving a reference such as "kernel" to a node named "kernel@1". Rejecting '@' outright, however, is a regression. We have a customer with signed FIT images deployed in the field that use '@' in node names, and with signature verification enabled those images are now rejected and fail to boot. Such names are admittedly not ideal. The devicetree specification only allows a unit address when the node has a matching 'reg' property, and newer dtc versions warn about violations. New FIT images should therefore avoid such names, but existing deployed images still need to keep working. This series fixes CVE-2021-27138 without that regression. The root cause is not the '@' character itself, but accepting a non-exact node-name match when resolving a FIT reference. Patch 1 hardens the lookups so the requested name and the resolved node name must match exactly: an inserted "kernel@1" can no longer stand in for the "kernel" node. Patches 2 and 3 then drop the now-redundant blanket '@' rejection. Review is welcome, especially on whether I missed any place that looks up a FIT node by name. Lorenz Kofler (3): boot/fit: require exact subnode matches for FIT references boot/fit: stop rejecting '@' during image and config verification boot/fit: stop rejecting '@' during FIT format checking boot/image-fit-sig.c | 21 +----------- boot/image-fit.c | 65 +++---------------------------------- common/spl/spl_fit.c | 4 +-- include/image.h | 28 ++++++++++++++++ test/py/tests/test_vboot.py | 7 ++-- 5 files changed, 39 insertions(+), 86 deletions(-)
-- sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, Austria UID/VAT Nr: ATU 66964118 | FN: 374287y
