image-sig: Ensure that hashed-nodes is null-terminated

A specially crafted FIT image leads to memory corruption in the stack
when using the verified boot feature. The function fit_config_check_sig
has a logic error that makes it possible to write past the end of the
stack allocated array node_inc. This could potentially be used to bypass
the signature check when using verified boot.

This change ensures that the number of strings is correct when counted.

Signed-off-by: Konrad Beckmann <konrad.beckmann@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/common/image-sig.c b/common/image-sig.c
index 5a269d3289bfcf72d7ad0fd5aeff7862f4badf11..5d860e1266379356a0f6ae4d0bf437abb6441a98 100644 (file)
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -334,6 +334,11 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
                return -1;
        }
 
+       if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') {
+               *err_msgp = "hashed-nodes property must be null-terminated";
+               return -1;
+       }
+
        /* Add a sanity check here since we are using the stack */
        if (count > IMAGE_MAX_HASHED_NODES) {
                *err_msgp = "Number of hashed nodes exceeds maximum";