[U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439

Frank Wunderlich frank-w at public-files.de
Sat Dec 1 09:46:48 UTC 2018 

Hi Simon

#define CONFIG_SYS_SDRAM_BASE		0x80000000

https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/include/configs/mt7623.h#L47

CONFIG_ARM=y
CONFIG_NR_DRAM_BANKS=1
https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/configs/mt7623n_bpir2_defconfig#L7

i applied the patch-series on top of my 2018-11 final (currently removed from github)

https://github.com/frank-w/u-boot/tree/bpi-r2_v5

tried ${scriptaddr}=0x83000000

here the fatload-command:

https://github.com/frank-w/u-boot/blob/60bc4075c7744e36058fcba76cd6e6c3a4002265/uEnv.txt#L22

working before, 0x81000000 and some higher values

HTH

regards Frank

> Gesendet: Samstag, 01. Dezember 2018 um 10:25 Uhr
> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
> An: "Frank Wunderlich" <frank-w at public-files.de>
> Cc: "U-Boot Mailing List" <u-boot at lists.denx.de>
> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
>
> On Fri, Nov 30, 2018 at 6:51 PM Frank Wunderlich
> <frank-w at public-files.de> wrote:
> >
> > Hi Simon,
> >
> > after applying these Patch-series i cannot load to any address (fatload). Do i need any additional Patch ("fdt: parse "reserved-memory" for memory reservation" sounds like that). Maybe there should be a fallback if no reservation is defined.
> 
> No, you should not need additional patches. The code makes use of
> "lmb" memory allocation just like the "bootm" code does. The "memory
> reservation" patch you cited only ensures that memory which is marked
> as reserved in the fdt cannot be overwritten by load.
> 
> If it doesn't work for you at all, the available memory is probably
> not described correctly. Could you check the values of the following
> defines (or if they are defined at all):
> - CONFIG_SYS_SDRAM_BASE
> - CONFIG_ARM
> - CONFIG_NR_DRAM_BANKS
> 
> I might need to improve the DRAM detection code in v5 (which is still
> pending as I am working on lmb tests).
> 
> Regards,
> Simon
> 
> >
> > regards Frank
> >
> > > Gesendet: Samstag, 24. November 2018 um 15:11 Uhr
> > > Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
> > > An: "Tom Rini" <trini at konsulko.com>, u-boot at lists.denx.de, "Joe Hershberger" <joe.hershberger at ni.com>
> > > Cc: "Alexey Brodkin" <Alexey.Brodkin at synopsys.com>, "Heinrich Schuchardt" <xypron.glpk at gmx.de>, "Michal Simek" <michal.simek at xilinx.com>, "Alexander Graf" <agraf at suse.de>, "Andrea Barisani" <andrea.barisani at f-secure.com>
> > > Betreff: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
> > >
> > > This series fixes CVE-2018-18440 ("insufficient boundary checks in
> > > filesystem image load") by adding restrictions to the 'load'
> > > command and fixes CVE-2018-18439 ("insufficient boundary checks in
> > > network image boot") by adding restrictions to the tftp code.
> > > The functions from lmb.c are used to setup regions of allowed and
> > > reserved memory. Then, the file size to load is checked against these
> > > addresses and loading the file is aborted if it would overwrite
> > > reserved memory.
> > >
> > > The memory reservation code is reused from bootm/image.
> > >
> > > Changes in v4:
> > > - fixed invalid 'if' statement without braces in boot_fdt_reserve_region
> > > - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8
> > >
> > > Changes in v3:
> > > - No patch changes, but needed to resend since patman added too many cc
> > >   addresses that gmail seemed to detect as spam :-(
> > >
> > > Changes in v2:
> > > - added code to reserve devicetree reserved-memory in lmb
> > > - added tftp fixes (patches 7 and 8)
> > > - fixed a bug in new function lmb_alloc_addr
> > >
> > > Simon Goldschmidt (7):
> > >   lib: lmb: reserving overlapping regions should fail
> > >   fdt: parse "reserved-memory" for memory reservation
> > >   lib: lmb: extend lmb for checks at load time
> > >   fs: prevent overwriting reserved memory
> > >   bootm: use new common function lmb_init_and_reserve
> > >   lmb: remove unused extern declaration
> > >   tftp: prevent overwriting reserved memory
> > >
> > >  common/bootm.c     |  8 ++----
> > >  common/image-fdt.c | 53 +++++++++++++++++++++++++++++------
> > >  fs/fs.c            | 56 +++++++++++++++++++++++++++++++++++--
> > >  include/lmb.h      |  7 +++--
> > >  lib/lmb.c          | 69 ++++++++++++++++++++++++++++++++++++++++++++++
> > >  net/tftp.c         | 66 ++++++++++++++++++++++++++++++++++++++------
> > >  6 files changed, 231 insertions(+), 28 deletions(-)
> > >
> > > --
> > > 2.17.1
> > >
> > > _______________________________________________
> > > U-Boot mailing list
> > > U-Boot at lists.denx.de
> > > https://lists.denx.de/listinfo/u-boot
> > >
>

More information about the U-Boot mailing list