On 2026-06-21T14:39:32, Aristo Chen <[email protected]> wrote: > vbe: bound FIT external-data offset and size before blk_read > > vbe_read_fit() loads a firmware-phase FIT from the trusted firmware area > and then issues a blk_read() to pull in the image, and optionally an > FDT, referenced by the FIT image node. The source offset on the device > and the read length both come from the FIT's data-position or data-offset > property and its data-size property, which live on mutable boot media > and can be controlled by an attacker with prior write access to the > firmware area. > > Without a range check the resulting blk_read() can read past the > firmware area on the device and, on the non-SPL path, write an > attacker-chosen number of blocks past the malloc(aligned_size) FIT > buffer into adjacent memory. Only the SPL branch routes through > spl_load_simple_fit(), which hashes the data. The external-data block > reached from TPL or VPL, and from the bootflow path via > abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), runs before > any signature or hash check on the loaded phase. > > Confine the FIT-supplied [load_addr, load_addr + len) window to > [addr, addr + area_size] before computing block numbers and lengths, > and apply the same constraint to fdt_load_addr and fdt_size. The checks > are written in subtraction-only form against the trusted area_size so > the comparison itself cannot overflow. > > Signed-off-by: Aristo Chen <[email protected]> > > boot/vbe_common.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+)
Reviewed-by: Simon Glass <[email protected]>

