From patchwork Sat Jun  9 15:38:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Teddy Reed <teddy.reed@gmail.com>
X-Patchwork-Id: 927171
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="kfStfQUq"; dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 4133Mg30mwz9s31
	for <incoming@patchwork.ozlabs.org>;
	Sun, 10 Jun 2018 01:38:21 +1000 (AEST)
Received: by lists.denx.de (Postfix, from userid 105)
	id 1AFF5C21DF9; Sat,  9 Jun 2018 15:38:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM, T_DKIM_INVALID
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 5541FC21C27;
	Sat,  9 Jun 2018 15:38:10 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 0BD33C21C27; Sat,  9 Jun 2018 15:38:08 +0000 (UTC)
Received: from mail-qk0-f182.google.com (mail-qk0-f182.google.com
	[209.85.220.182])
	by lists.denx.de (Postfix) with ESMTPS id 97738C21BE5
	for <u-boot@lists.denx.de>; Sat,  9 Jun 2018 15:38:07 +0000 (UTC)
Received: by mail-qk0-f182.google.com with SMTP id k86-v6so10584136qkh.13
	for <u-boot@lists.denx.de>; Sat, 09 Jun 2018 08:38:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=date:from:to:cc:subject:message-id:mime-version
	:content-transfer-encoding;
	bh=iq2NyV2/+sf2qogAdM8Q3y9wJnQOexW8cm91CyeTWuA=;
	b=kfStfQUq8VkKciMuDV7vi9E9fBNs6Ip5pwBsdRkbb1tTcCdJF2ZE6PKckh+mmrk1qQ
	wEMjnlnM6vZysIEOANU5EN/N0h9W22JGiFf/4WLaMDcXxjQClbN2ilFGAv9ZQTBxv4MK
	HxoI5vEpIg6YIud8B61AQFHQWVRjfz03mbNa5puzZxJDWfIYk1EDu4JkUVBeMFFoY7kD
	Qer5x1u1c4UiBEdgct5laUgSQi/u7TqvVXuPg6Ku9pi/IWg080m0H6W0I6XogbBTA/r1
	Mep3FHd85lzXbKV9XVd06qIMAe0aDl8mxwFb9P5w4yq991l24spKAKwqeQxgUzgJsKWO
	+ClQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-transfer-encoding;
	bh=iq2NyV2/+sf2qogAdM8Q3y9wJnQOexW8cm91CyeTWuA=;
	b=UIrzWR4Jb/JZH2ZouBfxWXbx8mo7Z15FTG+O9K7YGzyNXNCdyN/g/gxNJu+9Al11lO
	dW1osQphSRlMxwtoDfFGe9s51LBJqXpqyKDULAw5ATBfKWnv/6EKdl88IisqBkW0Hp1P
	KYKFVrDYZbiEp+WqIhLEl2GvNrQoAEzXYuxL+ZRRM9G5m5x/o1juqntbxJ7ReImoyH17
	AJoqfX0JgqhLSIfaw2z2TEZ0lM4nocHD6aZAa/v3SEODf6eSgGoijBHapF4FPUYA4/6o
	V/GKKD1SBKgKoCaXlQpIXmfxRN7EMCvdg6n7G21t/noWB0yPVdxyf95EOte+CFfKe7Dw
	9XSw==
X-Gm-Message-State: APt69E1cKssc2LgQMZspzwg5IhA2z6AcMilTydfbvx7tQ3ihvsvpaIxI
	Wh49m4jU2vFoTf7UZVOLZs44P3LL
X-Google-Smtp-Source: 
 ADUXVKIeA+8hgs+xcmUUXMWfOM38WoKDWYcXyEWSGb1wum0dH07BE92QeuUqh/EuCTYbUblxmX3KvA==
X-Received: by 2002:a37:2b87:: with SMTP id
	r7-v6mr9363772qkr.331.1528558686231;
	Sat, 09 Jun 2018 08:38:06 -0700 (PDT)
Received: from maverics (pool-108-35-88-207.nwrknj.fios.verizon.net.
	[108.35.88.207]) by smtp.gmail.com with ESMTPSA id
	o31-v6sm6537407qte.16.2018.06.09.08.38.05
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sat, 09 Jun 2018 08:38:05 -0700 (PDT)
Date: Sat, 9 Jun 2018 11:38:05 -0400
From: Teddy Reed <teddy.reed@gmail.com>
To: u-boot@lists.denx.de
Message-Id: <20180609113805.8c709218af029b48d4e750be@gmail.com>
X-Mailer: Sylpheed 3.5.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Subject: [U-Boot] [PATCH v2] vboot: Add FIT_SIGNATURE_MAX_SIZE protection
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
max size of a FIT header's totalsize field. The field is checked before
signature checks are applied to protect from reading past the intended
FIT regions.

This field is not part of the vboot signature so it should be sanity
checked. If the field is corrupted then the structure or string region
reads may have unintended behavior, such as reading from device memory.
A default value of 256MB is set and intended to support most max storage
sizes.

Suggested-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 Kconfig                     | 10 ++++++++++
 common/image-sig.c          |  5 +++++
 test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++++
 tools/Makefile              |  1 +
 4 files changed, 49 insertions(+)

diff --git a/Kconfig b/Kconfig
index 5a82c95..c8b86cd 100644
--- a/Kconfig
+++ b/Kconfig
@@ -267,6 +267,16 @@ config FIT_SIGNATURE
 	  format support in this case, enable it using
 	  CONFIG_IMAGE_FORMAT_LEGACY.
 
+config FIT_SIGNATURE_MAX_SIZE
+	hex "Max size of signed FIT structures"
+	depends on FIT_SIGNATURE
+	default 0x10000000
+	help
+	  This option sets a max size in bytes for verified FIT uImages.
+	  A sane value of 256MB protects corrupted DTB structures from overlapping
+	  device memory. Assure this size does not extend past expected storage
+	  space.
+
 config FIT_VERBOSE
 	bool "Show verbose messages when FIT images fail"
 	help
diff --git a/common/image-sig.c b/common/image-sig.c
index f65d883..8d2fd10 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -156,6 +156,11 @@ static int fit_image_setup_verify(struct image_sign_info *info,
 {
 	char *algo_name;
 
+	if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
+		*err_msgp = "Total size too large";
+		return 1;
+	}
+
 	if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
 		*err_msgp = "Can't get hash algo property";
 		return -1;
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index ee939f2..3d25ec3 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -26,6 +26,7 @@ Tests run with both SHA1 and SHA256 hashing.
 
 import pytest
 import sys
+import struct
 import u_boot_utils as util
 
 @pytest.mark.boardspec('sandbox')
@@ -105,6 +106,26 @@ def test_vboot(u_boot_console):
         util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
                                 '-r', fit])
 
+    def replace_fit_totalsize(size):
+        """Replace FIT header's totalsize with something greater.
+
+        The totalsize must be less than or equal to FIT_SIGNATURE_MAX_SIZE.
+        If the size is greater, the signature verification should return false.
+
+        Args:
+            size: The new totalsize of the header
+
+        Returns:
+            prev_size: The previous totalsize read from the header
+        """
+        total_size = 0
+        with open(fit, 'r+b') as handle:
+            handle.seek(4)
+            total_size = handle.read(4)
+            handle.seek(4)
+            handle.write(struct.pack(">I", size))
+        return struct.unpack(">I", total_size)[0]
+
     def test_with_algo(sha_algo):
         """Test verified boot with the given hash algorithm.
 
@@ -146,6 +167,18 @@ def test_vboot(u_boot_console):
         util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
                                 '-k', dtb])
 
+        # Replace header bytes
+        bcfg = u_boot_console.config.buildconfig
+        max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
+        existing_size = replace_fit_totalsize(max_size + 1)
+        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
+        cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo)
+
+        # Replace with existing header bytes
+        replace_fit_totalsize(existing_size)
+        run_bootm(sha_algo, 'signed config', 'dev+', True)
+        cons.log.action('%s: Check default FIT header totalsize' % sha_algo)
+
         # Increment the first byte of the signature, which should cause failure
         sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
                                (fit, sig_node))
diff --git a/tools/Makefile b/tools/Makefile
index 5dd33ed..0c3341e 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -133,6 +133,7 @@ ifdef CONFIG_FIT_SIGNATURE
 # This affects include/image.h, but including the board config file
 # is tricky, so manually define this options here.
 HOST_EXTRACFLAGS	+= -DCONFIG_FIT_SIGNATURE
+HOST_EXTRACFLAGS	+= -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE)
 endif
 
 ifdef CONFIG_SYS_U_BOOT_OFFS