uboot-tools: validate all uImage.FIT sub-images

uImage.FIT validation was restricted to certain sub-image types
which is problematic as it then won't validate eg. 'filesystem' type
subimages. Also prevent decompressing sub-images into a arbitrary
sized buffer just to then free that buffer -- there is not need to
do this and creating malicious compressed payloads which overflow the
buffer is too easy.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/package/boot/uboot-tools/Makefile b/package/boot/uboot-tools/Makefile
index f4655373423eaee646da52764aa45a369e44b33b..df2e756cc2129ac4c02c0ab26a7e32ac447e7952 100644 (file)
--- a/package/boot/uboot-tools/Makefile
+++ b/package/boot/uboot-tools/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_DISTNAME:=u-boot
 PKG_VERSION:=2025.01
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_DISTNAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \

diff --git a/package/boot/uboot-tools/patches/013-tools-fit_check_sign-all-image-types.patch b/package/boot/uboot-tools/patches/013-tools-fit_check_sign-all-image-types.patch
new file mode 100644 (file)
index 0000000..06af51e
--- /dev/null
+++ b/package/boot/uboot-tools/patches/013-tools-fit_check_sign-all-image-types.patch
@@ -0,0 +1,60 @@
+--- a/boot/bootm.c
++++ b/boot/bootm.c
+@@ -1229,20 +1229,18 @@ static int bootm_host_load_image(const v
+ 
+ int bootm_host_load_images(const void *fit, int cfg_noffset)
+ {
+-      static uint8_t image_types[] = {
+-              IH_TYPE_KERNEL,
+-              IH_TYPE_FLATDT,
+-              IH_TYPE_RAMDISK,
+-      };
+       int err = 0;
+       int i;
+ 
+-      for (i = 0; i < ARRAY_SIZE(image_types); i++) {
++      for (i = 0; i < IH_TYPE_COUNT; i++) {
+               int ret;
+ 
+-              ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
++              ret = bootm_host_load_image(fit, i, cfg_noffset);
+               if (!err && ret && ret != -ENOENT)
+                       err = ret;
++
++              if (err)
++                      break;
+       }
+ 
+       /* Return the first error we found */
+--- a/boot/image-fit.c
++++ b/boot/image-fit.c
+@@ -2072,7 +2072,9 @@ int fit_image_load(struct bootm_headers
+       fit_uname_config = fit_uname_configp ? *fit_uname_configp : NULL;
+       fit_base_uname_config = NULL;
+       prop_name = fit_get_image_type_property(image_type);
++#ifndef USE_HOSTCC
+       printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
++#endif
+ 
+       bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
+       ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
+@@ -2108,7 +2110,9 @@ int fit_image_load(struct bootm_headers
+               }
+ 
+               fit_base_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
++#ifndef USE_HOSTCC
+               printf("   Using '%s' configuration\n", fit_base_uname_config);
++#endif
+               /* Remember this config */
+               if (image_type == IH_TYPE_KERNEL)
+                       images->fit_uname_cfg = fit_base_uname_config;
+@@ -2131,7 +2135,9 @@ int fit_image_load(struct bootm_headers
+               fit_uname = fit_get_name(fit, noffset, NULL);
+       }
+       if (noffset < 0) {
++#ifndef USE_HOSTCC
+               printf("Could not find subimage node type '%s'\n", prop_name);
++#endif
+               bootstage_error(bootstage_id + BOOTSTAGE_SUB_SUBNODE);
+               return -ENOENT;
+       }

diff --git a/package/boot/uboot-tools/patches/014-tools-fit_check_sign-no-decompress.patch b/package/boot/uboot-tools/patches/014-tools-fit_check_sign-no-decompress.patch
new file mode 100644 (file)
index 0000000..6cd18aa
--- /dev/null
+++ b/package/boot/uboot-tools/patches/014-tools-fit_check_sign-no-decompress.patch
@@ -0,0 +1,40 @@
+--- a/boot/bootm.c
++++ b/boot/bootm.c
+@@ -1188,10 +1188,6 @@ static int bootm_host_load_image(const v
+       ulong data, len;
+       struct bootm_headers images;
+       int noffset;
+-      ulong load_end, buf_size;
+-      uint8_t image_type;
+-      uint8_t image_comp;
+-      void *load_buf;
+       int ret;
+ 
+       fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
+@@ -1203,26 +1199,6 @@ static int bootm_host_load_image(const v
+               FIT_LOAD_IGNORED, &data, &len);
+       if (noffset < 0)
+               return noffset;
+-      if (fit_image_get_type(fit, noffset, &image_type)) {
+-              puts("Can't get image type!\n");
+-              return -EINVAL;
+-      }
+-
+-      if (fit_image_get_comp(fit, noffset, &image_comp))
+-              image_comp = IH_COMP_NONE;
+-
+-      /* Allow the image to expand by a factor of 4, should be safe */
+-      buf_size = (1 << 20) + len * 4;
+-      load_buf = malloc(buf_size);
+-      ret = image_decomp(image_comp, 0, data, image_type, load_buf,
+-                         (void *)data, len, buf_size, &load_end);
+-      free(load_buf);
+-
+-      if (ret) {
+-              ret = handle_decomp_error(image_comp, load_end - 0, buf_size, ret);
+-              if (ret != BOOTM_ERR_UNIMPLEMENTED)
+-                      return ret;
+-      }
+ 
+       return 0;
+ }