image: Add an option to do a full check of the FIT Some strange modifications of the FIT can introduce security risks. Add an option to check it thoroughly, using libfdt's fdt_check_full() function. Enable this by default if signature verification is enabled. CVE-2021-27097 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com>

commit: 244705b69784320256d4aae848de2b9e0daeb9cb [log] [tgz]
author: Simon Glass <sjg@chromium.org> Mon Feb 15 17:08:10 2021 -0700
committer: Tom Rini <trini@konsulko.com> Mon Feb 15 22:31:53 2021 -0500
tree: 44a5f450549070b7b1929380202f61c852ad54d1
parent: d563c2572e6bb485e88d74742e74b71d235bda3e [diff] [blame]
diff --git a/common/image-fit.c b/common/image-fit.c
index f6c0428..bcf395f 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c

@@ -1580,6 +1580,22 @@
 		return -ENOEXEC;
 	}
 
+	if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
+		/*
+		 * If we are not given the size, make do wtih calculating it.
+		 * This is not as secure, so we should consider a flag to
+		 * control this.
+		 */
+		if (size == IMAGE_SIZE_INVAL)
+			size = fdt_totalsize(fit);
+		ret = fdt_check_full(fit, size);
+
+		if (ret) {
+			log_debug("FIT check error %d\n", ret);
+			return -EINVAL;
+		}
+	}
+
 	/* mandatory / node 'description' property */
 	if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
 		log_debug("Wrong FIT format: no description\n");
commit	244705b69784320256d4aae848de2b9e0daeb9cb	[log] [tgz]
author	Simon Glass <sjg@chromium.org>	Mon Feb 15 17:08:10 2021 -0700
committer	Tom Rini <trini@konsulko.com>	Mon Feb 15 22:31:53 2021 -0500
tree	44a5f450549070b7b1929380202f61c852ad54d1
parent	d563c2572e6bb485e88d74742e74b71d235bda3e [diff] [blame]