From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rini Date: Mon, 15 Feb 2021 22:35:58 -0500 Subject: [PATCH 2/8] fit: Don't allow verification of images with @ nodes In-Reply-To: <20210216000812.2091481-3-sjg@chromium.org> References: <20210216000812.2091481-1-sjg@chromium.org> <20210216000812.2091481-3-sjg@chromium.org> Message-ID: <20210216033558.GO10169@bill-the-cat> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Mon, Feb 15, 2021 at 05:08:06PM -0700, Simon Glass wrote: > When searching for a node called 'fred', any unit address appended to the > name is ignored by libfdt, meaning that 'fred' can match 'fred at 1'. This > means that we cannot be sure that the node originally intended is the one > that is used. > > Disallow use of nodes with unit addresses. > > Update the forge test also, since it uses @ addresses. > > CVE-2021-27138 > > Signed-off-by: Simon Glass > Reported-by: Bruce Monroe > Reported-by: Arie Haenel > Reported-by: Julien Lenoir Applied to u-boot/master, thanks! -- Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: