[U-Boot] Buffer overrun risk in UBI SPL for secure boot

[Heiko Schocher <hs@denx.de>]

Hello Joel,

Am 04.09.2019 um 06:57 schrieb Joel Peshkin:
> It seems that, in the process of doing any sort of secure boot chain of
> trust, anything loading a UBI volume in preparation to authenticate it,
> will load a volume of unknown size into a buffer prior to checking the
> signature of that volume.

Hmm.. it is not an unknown size, it loads the complete UBI Volume, so
it is the size of the UBI Volume ...
but yes, if an attacker changes the size of UBI Volumes ...

Could you please give us a reference to which piece of code you refer?

is it this part:

drivers/mtd/ubispl/ubispl.c
static int ipl_load(struct ubi_scan_info *ubi, const u32 vol_id, uint8_t *laddr)

yes ... no size...

> Has anyone considered a solution for this?  Should all implementations just
> carve out a buffer at the top of memory for ubispl_load_volume or should
> the ubispl_load data structure be amended to include a size?  It would seem
> appropriate to include a size, but not clear how to do that without
> breaking compatibility with existing implementations.

Hmm... yes may an option to add a maxsize to ubispl_load data struct
ubispl_load.

regarding backwards compatibility, there are not much boards yet, which
use this feature:

hs at threadripper:u-boot  [master] $ grep -lr SPL_UBI | grep defconfig
configs/am335x_igep003x_defconfig
configs/igep00x0_defconfig
hs at threadripper:u-boot  [master] $

So this should be solveable problem.

bye,
Heiko
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52   Fax: +49-8142-66989-80   Email: hs at denx.de