pkg/boot/universalpayload: enhance security and robustness of bootloader components#3570
Open
pohaosu wants to merge 7 commits into
Open
pkg/boot/universalpayload: enhance security and robustness of bootloader components#3570pohaosu wants to merge 7 commits into
pohaosu wants to merge 7 commits into
Conversation
Resets the global componentsSize counter at the start of component allocation to prevent persistent allocation failures via state accumulation across multiple calls. Signed-off-by: Phineas Su <pohaosu@google.com>
…sing - Fixes an insufficient bounds check in relocatePE (DIR64 relocation). - Adds slice bounds validation in relocateFdtData for FIT sub-image extraction. Signed-off-by: Phineas Su <pohaosu@google.com>
Relies on fdt.Write() to correctly calculate and populate FDT header fields (TotalSize, Offsets, Sizes), removing redundant and risky manual patching. Signed-off-by: Phineas Su <pohaosu@google.com>
…nstruction In ARM64, gapLen = stackOffset - codeSize where stackOffset is the relative position of the stack label within its page. If the trampoline function crosses a page boundary, stackOffset will be smaller than codeSize, causing an underflow to a massive value and a subsequent OOM panic during allocation. Similar protections added to AMD64. Signed-off-by: Phineas Su <pohaosu@google.com>
Adds length validation when parsing framebuffer sysfs resource strings to prevent panics on malformed or unexpected system file content. Signed-off-by: Phineas Su <pohaosu@google.com>
Corrects trampolineOffse to trampolineOffset. Signed-off-by: Phineas Su <pohaosu@google.com>
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3570 +/- ##
==========================================
+ Coverage 60.70% 61.13% +0.43%
==========================================
Files 652 659 +7
Lines 45516 46558 +1042
==========================================
+ Hits 27630 28464 +834
- Misses 17886 18094 +208
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
rminnich
reviewed
Apr 21, 2026
pohaosu
force-pushed
the
robust-upl
branch
2 times, most recently
from
d73b572 to
0d891f2
Compare
Moved all mutable state, configuration paths, and mockable function pointers from package-level variables into a new UPL struct. Refactored package-level functions into methods of the UPL struct to ensure internal thread-safety and prevent data races when loading multiple payloads concurrently. Implemented a New() constructor with functional options for safe configuration and isolation. Updated all tests to use UPL instances, eliminating the need for global state overrides during testing. Signed-off-by: Phineas Su <pohaosu@google.com>
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR addresses several security vulnerabilities and robustness issues identified in the
pkg/boot/universalpayloadpackage. These improvements ensure the bootloader is resilient against malformed or malicious FIT imagesand correctly handles dynamic state during the component allocation process.
Key Changes
1. State Accumulation Fix
Moved the global
componentsSizereset toloadKexecMemWithHOBs(). This prevents persistent allocation failures that could occur if state accumulated across multiple calls (e.g., failed boot retries).2. Out-of-Bounds Panic Mitigation
relocatePE(DIR64 relocation) that could trigger a panic when reading/writing at the end of the data buffer.relocateFdtDatafor FIT sub-image extraction to prevent panics from maliciousdata-offsetordata-sizeproperties.3. Secure FDT Generation
Refactored
buildDeviceTreeInfoto rely onfdt.Write()for automatic header field population (TotalSize,Offsets,Sizes). This eliminates risky and redundant manual offset patching.4. Trampoline Underflow Protection
Added safety checks in ARM64 and AMD64 trampoline padding calculations:
gapLen = stackOffset - codeSize. If the trampoline function crosses a memory page boundary,stackOffsetcan be smaller thancodeSize, causing an underflow to a massive value. This fixprevents a subsequent OOM panic during memory allocation.
5. Sysfs Robustness
Added string length validation when parsing framebuffer resources from sysfs to prevent panics on malformed or unexpected system file content.
6. Bug Fixes
trampolineOffse->trampolineOffset).Verification
All changes have been verified with existing package tests and new regression tests integrated directly into
universalpayload_test.goandutilities_test.go.github.com/u-root/u-root/pkg/boot/universalpayload