Skip to content

Commit

Permalink
Fix hash verification weakness
Browse files Browse the repository at this point in the history 
If cat exists prematurely we might fail to detect trailing malicious
garbage in the SPI tarball.
  • Loading branch information
@DemiMarie
DemiMarie committed Jun 19, 2021
1 parent 084dd1f commit 12fd596
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ config-base-*
macbook12-spi-driver-*.tar
macbook12-spi-driver-*.tar.gz.UNTRUSTED
pkgs
spi.sha256
4 changes: 2 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,8 @@ $(SRC_TARFILE): $(SRC_FILE)$(UNTRUSTED_SUFF) $(HASH_FILE)
endif

$(SPI_SRC_TARFILE): $(SPI_SRC_TARFILE)$(UNTRUSTED_SUFF)
cat $< | sha256sum | head -c64 | grep -q "^$(SPI_HASH_SHA256)$$"
mv $< $@
$(file > spi.sha256,$(SPI_HASH_SHA256) $(SPI_SRC_TARFILE)$(UNTRUSTED_SUFF))
sha256sum -c spi.sha256 && mv $< $@ && rm spi.sha256

$(SRC_FILE)$(UNTRUSTED_SUFF):
@$(FETCH_CMD) $@ -- $(URL)
Expand Down

0 comments on commit 12fd596

Please sign in to comment.