[U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
Simon Goldschmidt
simon.k.r.goldschmidt at gmail.com
Sun Dec 2 09:24:32 UTC 2018
Am 01.12.2018 um 12:07 schrieb Frank Wunderlich:
> forgot error-message and detailed command:
>
> fatload ${device} ${partition} ${scriptaddr} ${bpi}/${board}/${service}/${bootenv}
> ** Reading file would overwrite reserved memory **
> echo ${device} ${partition} ${scriptaddr} ${bpi}/${board}/${service}/${bootenv}
> mmc 1:1 0x83000000 bananapi/bpi-r2/linux/uEnv.txt
>
> file exists i checked with test, but fatload failed, after reverting the Patches same command works
Hmm, ok. With your configuration, I thought 'gd->bd->bi_dram[0].start'
and 'gd->bd->bi_dram[0].size' should be populated and correctly describe
your DRAM.
Could you try adding this printf code to the function
'lmb_init_and_reserve':
printf("lmb_init: base: 0x%x, size: 0x%x\n", base, size);
and check if this correctly describes your memory?
Thanks,
Simon
>
> regards Frank
>
>> Gesendet: Samstag, 01. Dezember 2018 um 10:46 Uhr
>> Von: "Frank Wunderlich" <frank-w at public-files.de>
>> An: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>> Cc: u-boot at lists.denx.de
>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
>>
>> Hi Simon
>>
>> #define CONFIG_SYS_SDRAM_BASE 0x80000000
>>
>> https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/include/configs/mt7623.h#L47
>>
>> CONFIG_ARM=y
>> CONFIG_NR_DRAM_BANKS=1
>> https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/configs/mt7623n_bpir2_defconfig#L7
>>
>> i applied the patch-series on top of my 2018-11 final (currently removed from github)
>>
>> https://github.com/frank-w/u-boot/tree/bpi-r2_v5
>>
>> tried ${scriptaddr}=0x83000000
>>
>> here the fatload-command:
>>
>> https://github.com/frank-w/u-boot/blob/60bc4075c7744e36058fcba76cd6e6c3a4002265/uEnv.txt#L22
>>
>> working before, 0x81000000 and some higher values
>>
>> HTH
>>
>> regards Frank
>>
>>> Gesendet: Samstag, 01. Dezember 2018 um 10:25 Uhr
>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>> An: "Frank Wunderlich" <frank-w at public-files.de>
>>> Cc: "U-Boot Mailing List" <u-boot at lists.denx.de>
>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
>>>
>>> On Fri, Nov 30, 2018 at 6:51 PM Frank Wunderlich
>>> <frank-w at public-files.de> wrote:
>>>>
>>>> Hi Simon,
>>>>
>>>> after applying these Patch-series i cannot load to any address (fatload). Do i need any additional Patch ("fdt: parse "reserved-memory" for memory reservation" sounds like that). Maybe there should be a fallback if no reservation is defined.
>>>
>>> No, you should not need additional patches. The code makes use of
>>> "lmb" memory allocation just like the "bootm" code does. The "memory
>>> reservation" patch you cited only ensures that memory which is marked
>>> as reserved in the fdt cannot be overwritten by load.
>>>
>>> If it doesn't work for you at all, the available memory is probably
>>> not described correctly. Could you check the values of the following
>>> defines (or if they are defined at all):
>>> - CONFIG_SYS_SDRAM_BASE
>>> - CONFIG_ARM
>>> - CONFIG_NR_DRAM_BANKS
>>>
>>> I might need to improve the DRAM detection code in v5 (which is still
>>> pending as I am working on lmb tests).
>>>
>>> Regards,
>>> Simon
>>>
>>>>
>>>> regards Frank
>>>>
>>>>> Gesendet: Samstag, 24. November 2018 um 15:11 Uhr
>>>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>> An: "Tom Rini" <trini at konsulko.com>, u-boot at lists.denx.de, "Joe Hershberger" <joe.hershberger at ni.com>
>>>>> Cc: "Alexey Brodkin" <Alexey.Brodkin at synopsys.com>, "Heinrich Schuchardt" <xypron.glpk at gmx.de>, "Michal Simek" <michal.simek at xilinx.com>, "Alexander Graf" <agraf at suse.de>, "Andrea Barisani" <andrea.barisani at f-secure.com>
>>>>> Betreff: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
>>>>>
>>>>> This series fixes CVE-2018-18440 ("insufficient boundary checks in
>>>>> filesystem image load") by adding restrictions to the 'load'
>>>>> command and fixes CVE-2018-18439 ("insufficient boundary checks in
>>>>> network image boot") by adding restrictions to the tftp code.
>>>>> The functions from lmb.c are used to setup regions of allowed and
>>>>> reserved memory. Then, the file size to load is checked against these
>>>>> addresses and loading the file is aborted if it would overwrite
>>>>> reserved memory.
>>>>>
>>>>> The memory reservation code is reused from bootm/image.
>>>>>
>>>>> Changes in v4:
>>>>> - fixed invalid 'if' statement without braces in boot_fdt_reserve_region
>>>>> - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8
>>>>>
>>>>> Changes in v3:
>>>>> - No patch changes, but needed to resend since patman added too many cc
>>>>> addresses that gmail seemed to detect as spam :-(
>>>>>
>>>>> Changes in v2:
>>>>> - added code to reserve devicetree reserved-memory in lmb
>>>>> - added tftp fixes (patches 7 and 8)
>>>>> - fixed a bug in new function lmb_alloc_addr
>>>>>
>>>>> Simon Goldschmidt (7):
>>>>> lib: lmb: reserving overlapping regions should fail
>>>>> fdt: parse "reserved-memory" for memory reservation
>>>>> lib: lmb: extend lmb for checks at load time
>>>>> fs: prevent overwriting reserved memory
>>>>> bootm: use new common function lmb_init_and_reserve
>>>>> lmb: remove unused extern declaration
>>>>> tftp: prevent overwriting reserved memory
>>>>>
>>>>> common/bootm.c | 8 ++----
>>>>> common/image-fdt.c | 53 +++++++++++++++++++++++++++++------
>>>>> fs/fs.c | 56 +++++++++++++++++++++++++++++++++++--
>>>>> include/lmb.h | 7 +++--
>>>>> lib/lmb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++
>>>>> net/tftp.c | 66 ++++++++++++++++++++++++++++++++++++++------
>>>>> 6 files changed, 231 insertions(+), 28 deletions(-)
>>>>>
>>>>> --
>>>>> 2.17.1
>>>>>
>>>>> _______________________________________________
>>>>> U-Boot mailing list
>>>>> U-Boot at lists.denx.de
>>>>> https://lists.denx.de/listinfo/u-boot
>>>>>
>>>
>> _______________________________________________
>> U-Boot mailing list
>> U-Boot at lists.denx.de
>> https://lists.denx.de/listinfo/u-boot
>>
More information about the U-Boot
mailing list