summaryrefslogtreecommitdiff
path: root/common/image-fit.c
diff options
context:
space:
mode:
authorSimon Glass <sjg@chromium.org>2021-02-15 17:08:09 -0700
committerTom Rini <trini@konsulko.com>2021-02-15 22:31:52 -0500
commitc5819701a3de61e2ba2ef7ad0b616565b32305e5 (patch)
tree2d78afc29b784d5477102dabfc94215781126ae0 /common/image-fit.c
parentd5f3aadacbc63df3b690d6fd9f0aa3f575b43356 (diff)
downloadu-boot-c5819701a3de61e2ba2ef7ad0b616565b32305e5.tar.gz
u-boot-c5819701a3de61e2ba2ef7ad0b616565b32305e5.tar.bz2
u-boot-c5819701a3de61e2ba2ef7ad0b616565b32305e5.zip
image: Adjust the workings of fit_check_format()
At present this function does not accept a size for the FIT. This means that it must be read from the FIT itself, introducing potential security risk. Update the function to include a size parameter, which can be invalid, in which case fit_check_format() calculates it. For now no callers pass the size, but this can be updated later. Also adjust the return value to an error code so that all the different types of problems can be distinguished by the user. Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Diffstat (limited to 'common/image-fit.c')
-rw-r--r--common/image-fit.c46
1 files changed, 20 insertions, 26 deletions
diff --git a/common/image-fit.c b/common/image-fit.c
index c3dc814115..f6c0428a96 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -8,6 +8,8 @@
* Wolfgang Denk, DENX Software Engineering, wd@denx.de.
*/
+#define LOG_CATEGORY LOGC_BOOT
+
#ifdef USE_HOSTCC
#include "mkimage.h"
#include <time.h>
@@ -1566,49 +1568,41 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
return (comp == image_comp);
}
-/**
- * fit_check_format - sanity check FIT image format
- * @fit: pointer to the FIT format image header
- *
- * fit_check_format() runs a basic sanity FIT image verification.
- * Routine checks for mandatory properties, nodes, etc.
- *
- * returns:
- * 1, on success
- * 0, on failure
- */
-int fit_check_format(const void *fit)
+int fit_check_format(const void *fit, ulong size)
{
+ int ret;
+
/* A FIT image must be a valid FDT */
- if (fdt_check_header(fit)) {
- debug("Wrong FIT format: not a flattened device tree\n");
- return 0;
+ ret = fdt_check_header(fit);
+ if (ret) {
+ log_debug("Wrong FIT format: not a flattened device tree (err=%d)\n",
+ ret);
+ return -ENOEXEC;
}
/* mandatory / node 'description' property */
- if (fdt_getprop(fit, 0, FIT_DESC_PROP, NULL) == NULL) {
- debug("Wrong FIT format: no description\n");
- return 0;
+ if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
+ log_debug("Wrong FIT format: no description\n");
+ return -ENOMSG;
}
if (IMAGE_ENABLE_TIMESTAMP) {
/* mandatory / node 'timestamp' property */
- if (fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL) == NULL) {
- debug("Wrong FIT format: no timestamp\n");
- return 0;
+ if (!fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL)) {
+ log_debug("Wrong FIT format: no timestamp\n");
+ return -ENODATA;
}
}
/* mandatory subimages parent '/images' node */
if (fdt_path_offset(fit, FIT_IMAGES_PATH) < 0) {
- debug("Wrong FIT format: no images parent node\n");
- return 0;
+ log_debug("Wrong FIT format: no images parent node\n");
+ return -ENOENT;
}
- return 1;
+ return 0;
}
-
/**
* fit_conf_find_compat
* @fit: pointer to the FIT format image header
@@ -1945,7 +1939,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr);
bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT);
- if (!fit_check_format(fit)) {
+ if (fit_check_format(fit, IMAGE_SIZE_INVAL)) {
printf("Bad FIT %s image format!\n", prop_name);
bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
return -ENOEXEC;