diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/Kconfig.cbfs_verification | 14 | ||||
-rw-r--r-- | src/lib/cbfs.c | 7 |
2 files changed, 21 insertions, 0 deletions
diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification index 9b053e1c16..12aaf81fab 100644 --- a/src/lib/Kconfig.cbfs_verification +++ b/src/lib/Kconfig.cbfs_verification @@ -37,6 +37,20 @@ config TOCTOU_SAFETY bootblock is also safe against these vulnerabilities (i.e. there's no point in enabling this when you just rely on flash write-protection). +config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION + bool "Run decompression algorithms on potentially untrusted code" + default n + help + This controls whether cbfs_unverified_area_...() access functions may + decompress files. This exposes the attack surface of all supported + decompression algorithms. Even if you don't compress the files you are + planning to load with these functions, since file metadata is also + unverified, an attacker can potentially replace them with compressed + files to access a vulnerability in the decompression code. + + If you don't need to load compressed files from unverified areas, say + no here for tighter security. + config CBFS_HASH_ALGO int default 1 if CBFS_HASH_SHA1 diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 4e25d27cfb..78eeb3bfb2 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n", in_size, mdata->h.filename, buffer, compression); + if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) && + skip_verification && compression != CBFS_COMPRESS_NONE) { + ERROR("Refusing to decompress unverified file '%s' with algo %d\n", + mdata->h.filename, compression); + return 0; + } + switch (compression) { case CBFS_COMPRESS_NONE: if (buffer_size < in_size) |