[U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Sat Dec 1 09:25:20 UTC 2018 

On Fri, Nov 30, 2018 at 6:51 PM Frank Wunderlich
<frank-w at public-files.de> wrote:
>
> Hi Simon,
>
> after applying these Patch-series i cannot load to any address (fatload). Do i need any additional Patch ("fdt: parse "reserved-memory" for memory reservation" sounds like that). Maybe there should be a fallback if no reservation is defined.

No, you should not need additional patches. The code makes use of
"lmb" memory allocation just like the "bootm" code does. The "memory
reservation" patch you cited only ensures that memory which is marked
as reserved in the fdt cannot be overwritten by load.

If it doesn't work for you at all, the available memory is probably
not described correctly. Could you check the values of the following
defines (or if they are defined at all):
- CONFIG_SYS_SDRAM_BASE
- CONFIG_ARM
- CONFIG_NR_DRAM_BANKS

I might need to improve the DRAM detection code in v5 (which is still
pending as I am working on lmb tests).

Regards,
Simon

>
> regards Frank
>
> > Gesendet: Samstag, 24. November 2018 um 15:11 Uhr
> > Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
> > An: "Tom Rini" <trini at konsulko.com>, u-boot at lists.denx.de, "Joe Hershberger" <joe.hershberger at ni.com>
> > Cc: "Alexey Brodkin" <Alexey.Brodkin at synopsys.com>, "Heinrich Schuchardt" <xypron.glpk at gmx.de>, "Michal Simek" <michal.simek at xilinx.com>, "Alexander Graf" <agraf at suse.de>, "Andrea Barisani" <andrea.barisani at f-secure.com>
> > Betreff: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
> >
> > This series fixes CVE-2018-18440 ("insufficient boundary checks in
> > filesystem image load") by adding restrictions to the 'load'
> > command and fixes CVE-2018-18439 ("insufficient boundary checks in
> > network image boot") by adding restrictions to the tftp code.
> > The functions from lmb.c are used to setup regions of allowed and
> > reserved memory. Then, the file size to load is checked against these
> > addresses and loading the file is aborted if it would overwrite
> > reserved memory.
> >
> > The memory reservation code is reused from bootm/image.
> >
> > Changes in v4:
> > - fixed invalid 'if' statement without braces in boot_fdt_reserve_region
> > - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8
> >
> > Changes in v3:
> > - No patch changes, but needed to resend since patman added too many cc
> >   addresses that gmail seemed to detect as spam :-(
> >
> > Changes in v2:
> > - added code to reserve devicetree reserved-memory in lmb
> > - added tftp fixes (patches 7 and 8)
> > - fixed a bug in new function lmb_alloc_addr
> >
> > Simon Goldschmidt (7):
> >   lib: lmb: reserving overlapping regions should fail
> >   fdt: parse "reserved-memory" for memory reservation
> >   lib: lmb: extend lmb for checks at load time
> >   fs: prevent overwriting reserved memory
> >   bootm: use new common function lmb_init_and_reserve
> >   lmb: remove unused extern declaration
> >   tftp: prevent overwriting reserved memory
> >
> >  common/bootm.c     |  8 ++----
> >  common/image-fdt.c | 53 +++++++++++++++++++++++++++++------
> >  fs/fs.c            | 56 +++++++++++++++++++++++++++++++++++--
> >  include/lmb.h      |  7 +++--
> >  lib/lmb.c          | 69 ++++++++++++++++++++++++++++++++++++++++++++++
> >  net/tftp.c         | 66 ++++++++++++++++++++++++++++++++++++++------
> >  6 files changed, 231 insertions(+), 28 deletions(-)
> >
> > --
> > 2.17.1
> >
> > _______________________________________________
> > U-Boot mailing list
> > U-Boot at lists.denx.de
> > https://lists.denx.de/listinfo/u-boot
> >

More information about the U-Boot mailing list