From: Konrad Beckmann Date: Wed, 7 Nov 2018 19:51:45 +0000 (-0500) Subject: image-sig: Ensure that hashed-nodes is null-terminated X-Git-Tag: v2025.01-rc5-pxa1908~3275^2~2 X-Git-Url: http://git.dujemihanovic.xyz/projects?a=commitdiff_plain;h=f1c85688ab13f154ebe1b1480def233a22e7f66b;p=u-boot.git image-sig: Ensure that hashed-nodes is null-terminated A specially crafted FIT image leads to memory corruption in the stack when using the verified boot feature. The function fit_config_check_sig has a logic error that makes it possible to write past the end of the stack allocated array node_inc. This could potentially be used to bypass the signature check when using verified boot. This change ensures that the number of strings is correct when counted. Signed-off-by: Konrad Beckmann Reviewed-by: Simon Glass --- diff --git a/common/image-sig.c b/common/image-sig.c index 5a269d3289..5d860e1266 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -334,6 +334,11 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode, return -1; } + if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') { + *err_msgp = "hashed-nodes property must be null-terminated"; + return -1; + } + /* Add a sanity check here since we are using the stack */ if (count > IMAGE_MAX_HASHED_NODES) { *err_msgp = "Number of hashed nodes exceeds maximum";