We're updating the issue view to help you get more done. 

Split booting may use uninitialized memory in crypto checks

Description

The split_go() routine in mcuboot/boot/bootutil/src/loader.c makes use of the boot_read_image_headers() helper provided for "dual image area with swap" style boots:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 int split_go(int loader_slot, int split_slot, void **entry) { const struct flash_area *loader_fap; const struct flash_area *app_fap; struct flash_area *sectors; uintptr_t entry_val; int loader_flash_id; int app_flash_id; int rc; // [...] rc = boot_read_image_headers(); // [...] rc = split_image_check(&boot_data.imgs[split_slot].hdr, app_fap, &boot_data.imgs[loader_slot].hdr, loader_fap); // [...] }

boot_read_image_headers() should not be used in this context: it can return success if some of the headers were read correctly, which may be enough if image slots contain complete images for swapping. However, split_go() treats success as if both image area headers were read correctly.

The problem is that a success return from boot_read_image_headers() if slot 0's header was read correctly and slot 1's wasn't results in garbage data being passed to split_image_check(). This could potentially be combined with another bug to feed attacker-controlled data to split_image_check().

This ticket tracks fixing split_go() to validate that all of its inputs are read correctly before passing them off for validation.

Environment

None

Status

Assignee

Fabio Utzig

Reporter

Marti Bolivar

Labels

None

Components

Fix versions

Priority

High