image-sig: Ensure that hashed-nodes is null-terminated A specially crafted FIT image leads to memory corruption in the stack when using the verified boot feature. The function fit_config_check_sig has a logic error that makes it possible to write past the end of the stack allocated array node_inc. This could potentially be used to bypass the signature check when using verified boot. This change ensures that the number of strings is correct when counted. Signed-off-by: Konrad Beckmann <konrad.beckmann@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>

commit: f1c85688ab13f154ebe1b1480def233a22e7f66b [log] [tgz]
author: Konrad Beckmann <konrad.beckmann@gmail.com> Wed Nov 07 14:51:45 2018 -0500
committer: Tom Rini <trini@konsulko.com> Fri Nov 16 16:52:01 2018 -0500
tree: c442e39843d945fb0df01ce2af6e431fc718a402
parent: ad5fbc6e8858d0f57a0712f7dba2c710aed9a43c [diff] [blame]
diff --git a/common/image-sig.c b/common/image-sig.c
index 5a269d3..5d860e1 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c

@@ -334,6 +334,11 @@
 		return -1;
 	}
 
+	if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') {
+		*err_msgp = "hashed-nodes property must be null-terminated";
+		return -1;
+	}
+
 	/* Add a sanity check here since we are using the stack */
 	if (count > IMAGE_MAX_HASHED_NODES) {
 		*err_msgp = "Number of hashed nodes exceeds maximum";
commit	f1c85688ab13f154ebe1b1480def233a22e7f66b	[log] [tgz]
author	Konrad Beckmann <konrad.beckmann@gmail.com>	Wed Nov 07 14:51:45 2018 -0500
committer	Tom Rini <trini@konsulko.com>	Fri Nov 16 16:52:01 2018 -0500
tree	c442e39843d945fb0df01ce2af6e431fc718a402
parent	ad5fbc6e8858d0f57a0712f7dba2c710aed9a43c [diff] [blame]