summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/fmap.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/lib/fmap.c b/src/lib/fmap.c
index ed186e0cae..8d7b6a8f71 100644
--- a/src/lib/fmap.c
+++ b/src/lib/fmap.c
@@ -38,8 +38,10 @@ static int verify_fmap(const struct fmap *fmap)
if (!CONFIG(CBFS_VERIFICATION) || !ENV_INITIAL_STAGE || done)
return 0; /* Only need to check hash in first stage. */
+ /* On error we need to die right here, lest we risk a TOCTOU attack where the cache is
+ filled with a tampered FMAP but the later fallback path is fed a valid one. */
if (metadata_hash_verify_fmap(fmap, FMAP_SIZE) != VB2_SUCCESS)
- return -1;
+ die("FMAP verification failure");
done = true;
return 0;