2 files changed, 21 insertions, 0 deletions

diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification
index 9b053e1c16..12aaf81fab 100644
--- a/src/lib/Kconfig.cbfs_verification
+++ b/src/lib/Kconfig.cbfs_verification
@@ -37,6 +37,20 @@ config TOCTOU_SAFETY
 	  bootblock is also safe against these vulnerabilities (i.e. there's no
 	  point in enabling this when you just rely on flash write-protection).
 
+config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
+	bool "Run decompression algorithms on potentially untrusted code"
+	default n
+	help
+	  This controls whether cbfs_unverified_area_...() access functions may
+	  decompress files. This exposes the attack surface of all supported
+	  decompression algorithms. Even if you don't compress the files you are
+	  planning to load with these functions, since file metadata is also
+	  unverified, an attacker can potentially replace them with compressed
+	  files to access a vulnerability in the decompression code.
+
+	  If you don't need to load compressed files from unverified areas, say
+	  no here for tighter security.
+
 config CBFS_HASH_ALGO
 	int
 	default 1 if CBFS_HASH_SHA1
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index 4e25d27cfb..78eeb3bfb2 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b
 	DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n",
 	      in_size, mdata->h.filename, buffer, compression);
 
+	if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) &&
+	    skip_verification && compression != CBFS_COMPRESS_NONE) {
+		ERROR("Refusing to decompress unverified file '%s' with algo %d\n",
+		      mdata->h.filename, compression);
+		return 0;
+	}
+
 	switch (compression) {
 	case CBFS_COMPRESS_NONE:
 		if (buffer_size < in_size)