1 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch
new file mode 100644
index 00000000000..86f7e8ce558
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch
@@ -0,0 +1,105 @@
+From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Mon, 15 Feb 2021 17:08:10 -0700
+Subject: [PATCH] image: Add an option to do a full check of the FIT
+
+Some strange modifications of the FIT can introduce security risks. Add an
+option to check it thoroughly, using libfdt's fdt_check_full() function.
+
+Enable this by default if signature verification is enabled.
+
+CVE-2021-27097
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Reported-by: Bruce Monroe <bruce.monroe@intel.com>
+Reported-by: Arie Haenel <arie.haenel@intel.com>
+Reported-by: Julien Lenoir <julien.lenoir@intel.com>
+
+CVE: CVE-2021-27097
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+---
+ common/Kconfig.boot | 20 ++++++++++++++++++++
+ common/image-fit.c  | 16 ++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/common/Kconfig.boot b/common/Kconfig.boot
+index 5eaabdfc27..7532e55edb 100644
+--- a/common/Kconfig.boot
++++ b/common/Kconfig.boot
+@@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
+ 	  SHA512 checksum is a 512-bit (64-byte) hash value used to check that
+ 	  the image contents have not been corrupted.
+ 
++config FIT_FULL_CHECK
++	bool "Do a full check of the FIT before using it"
++	default y
++	help
++	  Enable this do a full check of the FIT to make sure it is valid. This
++	  helps to protect against carefully crafted FITs which take advantage
++	  of bugs or omissions in the code. This includes a bad structure,
++	  multiple root nodes and the like.
++
+ config FIT_SIGNATURE
+ 	bool "Enable signature verification of FIT uImages"
+ 	depends on DM
+@@ -70,6 +79,7 @@ config FIT_SIGNATURE
+ 	select RSA
+ 	select RSA_VERIFY
+ 	select IMAGE_SIGN_INFO
++	select FIT_FULL_CHECK
+ 	help
+ 	  This option enables signature verification of FIT uImages,
+ 	  using a hash signed and verified using RSA. If
+@@ -159,6 +169,15 @@ config SPL_FIT_PRINT
+ 	help
+ 	  Support printing the content of the fitImage in a verbose manner in SPL.
+ 
++config SPL_FIT_FULL_CHECK
++	bool "Do a full check of the FIT before using it"
++	help
++	  Enable this do a full check of the FIT to make sure it is valid. This
++	  helps to protect against carefully crafted FITs which take advantage
++	  of bugs or omissions in the code. This includes a bad structure,
++	  multiple root nodes and the like.
++
++
+ config SPL_FIT_SIGNATURE
+ 	bool "Enable signature verification of FIT firmware within SPL"
+ 	depends on SPL_DM
+@@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
+ 	select SPL_RSA
+ 	select SPL_RSA_VERIFY
+ 	select SPL_IMAGE_SIGN_INFO
++	select SPL_FIT_FULL_CHECK
+ 
+ config SPL_LOAD_FIT
+ 	bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
+diff --git a/common/image-fit.c b/common/image-fit.c
+index f6c0428a96..bcf395f6a1 100644
+--- a/common/image-fit.c
++++ b/common/image-fit.c
+@@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
+ 		return -ENOEXEC;
+ 	}
+ 
++	if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
++		/*
++		 * If we are not given the size, make do wtih calculating it.
++		 * This is not as secure, so we should consider a flag to
++		 * control this.
++		 */
++		if (size == IMAGE_SIZE_INVAL)
++			size = fdt_totalsize(fit);
++		ret = fdt_check_full(fit, size);
++
++		if (ret) {
++			log_debug("FIT check error %d\n", ret);
++			return -EINVAL;
++		}
++	}
++
+ 	/* mandatory / node 'description' property */
+ 	if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
+ 		log_debug("Wrong FIT format: no description\n");