summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/Kconfig.cbfs_verification14
-rw-r--r--src/lib/cbfs.c7
2 files changed, 21 insertions, 0 deletions
diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification
index 9b053e1c16..12aaf81fab 100644
--- a/src/lib/Kconfig.cbfs_verification
+++ b/src/lib/Kconfig.cbfs_verification
@@ -37,6 +37,20 @@ config TOCTOU_SAFETY
bootblock is also safe against these vulnerabilities (i.e. there's no
point in enabling this when you just rely on flash write-protection).
+config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
+ bool "Run decompression algorithms on potentially untrusted code"
+ default n
+ help
+ This controls whether cbfs_unverified_area_...() access functions may
+ decompress files. This exposes the attack surface of all supported
+ decompression algorithms. Even if you don't compress the files you are
+ planning to load with these functions, since file metadata is also
+ unverified, an attacker can potentially replace them with compressed
+ files to access a vulnerability in the decompression code.
+
+ If you don't need to load compressed files from unverified areas, say
+ no here for tighter security.
+
config CBFS_HASH_ALGO
int
default 1 if CBFS_HASH_SHA1
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index 4e25d27cfb..78eeb3bfb2 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b
DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n",
in_size, mdata->h.filename, buffer, compression);
+ if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) &&
+ skip_verification && compression != CBFS_COMPRESS_NONE) {
+ ERROR("Refusing to decompress unverified file '%s' with algo %d\n",
+ mdata->h.filename, compression);
+ return 0;
+ }
+
switch (compression) {
case CBFS_COMPRESS_NONE:
if (buffer_size < in_size)