From: Daniel Golle <daniel@makrotopia.org>
Date: Thu, 24 Apr 2025 05:43:59 +0000 (+0100)
Subject: uboot-tools: validate all uImage.FIT sub-images
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27adf03f703319f4a6900b07be5f6786045a6dad;p=thirdparty%2Fopenwrt.git

uboot-tools: validate all uImage.FIT sub-images

uImage.FIT validation was restricted to certain sub-image types
which is problematic as it then won't validate eg. 'filesystem' type
subimages. Also prevent decompressing sub-images into a arbitrary
sized buffer just to then free that buffer -- there is not need to
do this and creating malicious compressed payloads which overflow the
buffer is too easy.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---

diff --git a/package/boot/uboot-tools/Makefile b/package/boot/uboot-tools/Makefile
index f4655373423..df2e756cc21 100644
--- a/package/boot/uboot-tools/Makefile
+++ b/package/boot/uboot-tools/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_DISTNAME:=u-boot
 PKG_VERSION:=2025.01
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_DISTNAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
diff --git a/package/boot/uboot-tools/patches/013-tools-fit_check_sign-all-image-types.patch b/package/boot/uboot-tools/patches/013-tools-fit_check_sign-all-image-types.patch
new file mode 100644
index 00000000000..06af51e212b
--- /dev/null
+++ b/package/boot/uboot-tools/patches/013-tools-fit_check_sign-all-image-types.patch
@@ -0,0 +1,60 @@
+--- a/boot/bootm.c
++++ b/boot/bootm.c
+@@ -1229,20 +1229,18 @@ static int bootm_host_load_image(const v
+ 
+ int bootm_host_load_images(const void *fit, int cfg_noffset)
+ {
+-	static uint8_t image_types[] = {
+-		IH_TYPE_KERNEL,
+-		IH_TYPE_FLATDT,
+-		IH_TYPE_RAMDISK,
+-	};
+ 	int err = 0;
+ 	int i;
+ 
+-	for (i = 0; i < ARRAY_SIZE(image_types); i++) {
++	for (i = 0; i < IH_TYPE_COUNT; i++) {
+ 		int ret;
+ 
+-		ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
++		ret = bootm_host_load_image(fit, i, cfg_noffset);
+ 		if (!err && ret && ret != -ENOENT)
+ 			err = ret;
++
++		if (err)
++			break;
+ 	}
+ 
+ 	/* Return the first error we found */
+--- a/boot/image-fit.c
++++ b/boot/image-fit.c
+@@ -2072,7 +2072,9 @@ int fit_image_load(struct bootm_headers
+ 	fit_uname_config = fit_uname_configp ? *fit_uname_configp : NULL;
+ 	fit_base_uname_config = NULL;
+ 	prop_name = fit_get_image_type_property(image_type);
++#ifndef USE_HOSTCC
+ 	printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
++#endif
+ 
+ 	bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
+ 	ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
+@@ -2108,7 +2110,9 @@ int fit_image_load(struct bootm_headers
+ 		}
+ 
+ 		fit_base_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
++#ifndef USE_HOSTCC
+ 		printf("   Using '%s' configuration\n", fit_base_uname_config);
++#endif
+ 		/* Remember this config */
+ 		if (image_type == IH_TYPE_KERNEL)
+ 			images->fit_uname_cfg = fit_base_uname_config;
+@@ -2131,7 +2135,9 @@ int fit_image_load(struct bootm_headers
+ 		fit_uname = fit_get_name(fit, noffset, NULL);
+ 	}
+ 	if (noffset < 0) {
++#ifndef USE_HOSTCC
+ 		printf("Could not find subimage node type '%s'\n", prop_name);
++#endif
+ 		bootstage_error(bootstage_id + BOOTSTAGE_SUB_SUBNODE);
+ 		return -ENOENT;
+ 	}
diff --git a/package/boot/uboot-tools/patches/014-tools-fit_check_sign-no-decompress.patch b/package/boot/uboot-tools/patches/014-tools-fit_check_sign-no-decompress.patch
new file mode 100644
index 00000000000..6cd18aa5495
--- /dev/null
+++ b/package/boot/uboot-tools/patches/014-tools-fit_check_sign-no-decompress.patch
@@ -0,0 +1,40 @@
+--- a/boot/bootm.c
++++ b/boot/bootm.c
+@@ -1188,10 +1188,6 @@ static int bootm_host_load_image(const v
+ 	ulong data, len;
+ 	struct bootm_headers images;
+ 	int noffset;
+-	ulong load_end, buf_size;
+-	uint8_t image_type;
+-	uint8_t image_comp;
+-	void *load_buf;
+ 	int ret;
+ 
+ 	fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
+@@ -1203,26 +1199,6 @@ static int bootm_host_load_image(const v
+ 		FIT_LOAD_IGNORED, &data, &len);
+ 	if (noffset < 0)
+ 		return noffset;
+-	if (fit_image_get_type(fit, noffset, &image_type)) {
+-		puts("Can't get image type!\n");
+-		return -EINVAL;
+-	}
+-
+-	if (fit_image_get_comp(fit, noffset, &image_comp))
+-		image_comp = IH_COMP_NONE;
+-
+-	/* Allow the image to expand by a factor of 4, should be safe */
+-	buf_size = (1 << 20) + len * 4;
+-	load_buf = malloc(buf_size);
+-	ret = image_decomp(image_comp, 0, data, image_type, load_buf,
+-			   (void *)data, len, buf_size, &load_end);
+-	free(load_buf);
+-
+-	if (ret) {
+-		ret = handle_decomp_error(image_comp, load_end - 0, buf_size, ret);
+-		if (ret != BOOTM_ERR_UNIMPLEMENTED)
+-			return ret;
+-	}
+ 
+ 	return 0;
+ }