From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Subject: [PATCH 2/8] fit: Don't allow verification of images with @ nodes
Date: Mon, 15 Feb 2021 22:35:58 -0500 [thread overview]
Message-ID: <20210216033558.GO10169@bill-the-cat> (raw)
In-Reply-To: <20210216000812.2091481-3-sjg@chromium.org>
On Mon, Feb 15, 2021 at 05:08:06PM -0700, Simon Glass wrote:
> When searching for a node called 'fred', any unit address appended to the
> name is ignored by libfdt, meaning that 'fred' can match 'fred at 1'. This
> means that we cannot be sure that the node originally intended is the one
> that is used.
>
> Disallow use of nodes with unit addresses.
>
> Update the forge test also, since it uses @ addresses.
>
> CVE-2021-27138
>
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Reported-by: Bruce Monroe <bruce.monroe@intel.com>
> Reported-by: Arie Haenel <arie.haenel@intel.com>
> Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Applied to u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210215/4f4da731/attachment.sig>
next prev parent reply other threads:[~2021-02-16 3:35 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-16 0:08 [PATCH 0/8] vboot: Correct vulnerabilities identified by Intel Simon Glass
2021-02-16 0:08 ` [PATCH 1/8] fdt_region: Check for a single root node of the correct name Simon Glass
2021-02-16 3:35 ` Tom Rini
2021-02-16 0:08 ` [PATCH 2/8] fit: Don't allow verification of images with @ nodes Simon Glass
2021-02-16 3:35 ` Tom Rini [this message]
2021-02-16 0:08 ` [PATCH 3/8] test: Add vboot_evil implementation Simon Glass
2021-02-16 3:36 ` Tom Rini
2021-02-16 0:08 ` [PATCH 4/8] test: Add tests for the 'evil' vboot attacks Simon Glass
2021-02-16 3:36 ` Tom Rini
2021-02-16 0:08 ` [PATCH 5/8] image: Adjust the workings of fit_check_format() Simon Glass
2021-02-16 3:36 ` Tom Rini
2021-02-17 13:30 ` Jesper Schmitz Mouridsen
2021-02-17 13:43 ` Tom Rini
2021-02-17 14:12 ` Jesper Schmitz Mouridsen
2021-02-16 0:08 ` [PATCH 6/8] image: Add an option to do a full check of the FIT Simon Glass
2021-02-16 3:36 ` Tom Rini
2021-02-16 0:08 ` [PATCH 7/8] libfdt: Check for multiple/invalid root nodes Simon Glass
2021-02-16 3:36 ` Tom Rini
2021-02-16 0:08 ` [PATCH 8/8] image: Check for unit addresses in FITs Simon Glass
2021-02-16 3:36 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210216033558.GO10169@bill-the-cat \
--to=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.