[U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439

Frank Wunderlich frank-w at public-files.de
Sun Dec 2 17:44:28 UTC 2018 

Right, i test on bananapi-r2. 2gb ram with 0x80000000 base-adress

Seems you need (unsigned) int64 for calculations

Am 2. Dezember 2018 18:14:19 MEZ schrieb Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>:
>Am 02.12.2018 um 16:48 schrieb Frank Wunderlich:
>> lmb_init: base: 0x80000000, size: 0x80000000
>
>Ok, so I don't know your board, is that correct? Do you have 2 GByte 
>starting at 0x80000000?
>
>If so, that would result in an overflow to 0 on a 32-bit platform and 
>would explain why it doesn't work.
>
>This is a perfect input for a test case :-)
>
>Thanks,
>Simon
>
>> 
>>
>https://github.com/frank-w/u-boot/commit/e0763252a8e135f00b996fbda7bb1067a192ca53
>> 
>> Regards Frank
>> 
>>> Gesendet: Sonntag, 02. Dezember 2018 um 10:24 Uhr
>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>> An: "Frank Wunderlich" <frank-w at public-files.de>
>>> Cc: u-boot at lists.denx.de
>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>CVE-2018-18439
>>>
>>> Am 01.12.2018 um 12:07 schrieb Frank Wunderlich:
>>>> forgot error-message and detailed command:
>>>>
>>>> fatload ${device} ${partition} ${scriptaddr}
>${bpi}/${board}/${service}/${bootenv}
>>>> ** Reading file would overwrite reserved memory **
>>>> echo ${device} ${partition} ${scriptaddr}
>${bpi}/${board}/${service}/${bootenv}
>>>> mmc 1:1 0x83000000 bananapi/bpi-r2/linux/uEnv.txt
>>>>
>>>> file exists i checked with test, but fatload failed, after
>reverting the Patches same command works
>>>
>>> Hmm, ok. With your configuration, I thought
>'gd->bd->bi_dram[0].start'
>>> and 'gd->bd->bi_dram[0].size' should be populated and correctly
>describe
>>> your DRAM.
>>>
>>> Could you try adding this printf code to the function
>>> 'lmb_init_and_reserve':
>>>
>>> 	printf("lmb_init: base: 0x%x, size: 0x%x\n", base, size);
>>>
>>> and check if this correctly describes your memory?
>>>
>>> Thanks,
>>> Simon
>>>
>>>>
>>>> regards Frank
>>>>
>>>>> Gesendet: Samstag, 01. Dezember 2018 um 10:46 Uhr
>>>>> Von: "Frank Wunderlich" <frank-w at public-files.de>
>>>>> An: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>> Cc: u-boot at lists.denx.de
>>>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>CVE-2018-18439
>>>>>
>>>>> Hi Simon
>>>>>
>>>>> #define CONFIG_SYS_SDRAM_BASE		0x80000000
>>>>>
>>>>>
>https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/include/configs/mt7623.h#L47
>>>>>
>>>>> CONFIG_ARM=y
>>>>> CONFIG_NR_DRAM_BANKS=1
>>>>>
>https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/configs/mt7623n_bpir2_defconfig#L7
>>>>>
>>>>> i applied the patch-series on top of my 2018-11 final (currently
>removed from github)
>>>>>
>>>>> https://github.com/frank-w/u-boot/tree/bpi-r2_v5
>>>>>
>>>>> tried ${scriptaddr}=0x83000000
>>>>>
>>>>> here the fatload-command:
>>>>>
>>>>>
>https://github.com/frank-w/u-boot/blob/60bc4075c7744e36058fcba76cd6e6c3a4002265/uEnv.txt#L22
>>>>>
>>>>> working before, 0x81000000 and some higher values
>>>>>
>>>>> HTH
>>>>>
>>>>> regards Frank
>>>>>
>>>>>> Gesendet: Samstag, 01. Dezember 2018 um 10:25 Uhr
>>>>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>>> An: "Frank Wunderlich" <frank-w at public-files.de>
>>>>>> Cc: "U-Boot Mailing List" <u-boot at lists.denx.de>
>>>>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>CVE-2018-18439
>>>>>>
>>>>>> On Fri, Nov 30, 2018 at 6:51 PM Frank Wunderlich
>>>>>> <frank-w at public-files.de> wrote:
>>>>>>>
>>>>>>> Hi Simon,
>>>>>>>
>>>>>>> after applying these Patch-series i cannot load to any address
>(fatload). Do i need any additional Patch ("fdt: parse
>"reserved-memory" for memory reservation" sounds like that). Maybe
>there should be a fallback if no reservation is defined.
>>>>>>
>>>>>> No, you should not need additional patches. The code makes use of
>>>>>> "lmb" memory allocation just like the "bootm" code does. The
>"memory
>>>>>> reservation" patch you cited only ensures that memory which is
>marked
>>>>>> as reserved in the fdt cannot be overwritten by load.
>>>>>>
>>>>>> If it doesn't work for you at all, the available memory is
>probably
>>>>>> not described correctly. Could you check the values of the
>following
>>>>>> defines (or if they are defined at all):
>>>>>> - CONFIG_SYS_SDRAM_BASE
>>>>>> - CONFIG_ARM
>>>>>> - CONFIG_NR_DRAM_BANKS
>>>>>>
>>>>>> I might need to improve the DRAM detection code in v5 (which is
>still
>>>>>> pending as I am working on lmb tests).
>>>>>>
>>>>>> Regards,
>>>>>> Simon
>>>>>>
>>>>>>>
>>>>>>> regards Frank
>>>>>>>
>>>>>>>> Gesendet: Samstag, 24. November 2018 um 15:11 Uhr
>>>>>>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>>>>> An: "Tom Rini" <trini at konsulko.com>, u-boot at lists.denx.de, "Joe
>Hershberger" <joe.hershberger at ni.com>
>>>>>>>> Cc: "Alexey Brodkin" <Alexey.Brodkin at synopsys.com>, "Heinrich
>Schuchardt" <xypron.glpk at gmx.de>, "Michal Simek"
><michal.simek at xilinx.com>, "Alexander Graf" <agraf at suse.de>, "Andrea
>Barisani" <andrea.barisani at f-secure.com>
>>>>>>>> Betreff: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>CVE-2018-18439
>>>>>>>>
>>>>>>>> This series fixes CVE-2018-18440 ("insufficient boundary checks
>in
>>>>>>>> filesystem image load") by adding restrictions to the 'load'
>>>>>>>> command and fixes CVE-2018-18439 ("insufficient boundary checks
>in
>>>>>>>> network image boot") by adding restrictions to the tftp code.
>>>>>>>> The functions from lmb.c are used to setup regions of allowed
>and
>>>>>>>> reserved memory. Then, the file size to load is checked against
>these
>>>>>>>> addresses and loading the file is aborted if it would overwrite
>>>>>>>> reserved memory.
>>>>>>>>
>>>>>>>> The memory reservation code is reused from bootm/image.
>>>>>>>>
>>>>>>>> Changes in v4:
>>>>>>>> - fixed invalid 'if' statement without braces in
>boot_fdt_reserve_region
>>>>>>>> - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted
>patch 8
>>>>>>>>
>>>>>>>> Changes in v3:
>>>>>>>> - No patch changes, but needed to resend since patman added too
>many cc
>>>>>>>>     addresses that gmail seemed to detect as spam :-(
>>>>>>>>
>>>>>>>> Changes in v2:
>>>>>>>> - added code to reserve devicetree reserved-memory in lmb
>>>>>>>> - added tftp fixes (patches 7 and 8)
>>>>>>>> - fixed a bug in new function lmb_alloc_addr
>>>>>>>>
>>>>>>>> Simon Goldschmidt (7):
>>>>>>>>     lib: lmb: reserving overlapping regions should fail
>>>>>>>>     fdt: parse "reserved-memory" for memory reservation
>>>>>>>>     lib: lmb: extend lmb for checks at load time
>>>>>>>>     fs: prevent overwriting reserved memory
>>>>>>>>     bootm: use new common function lmb_init_and_reserve
>>>>>>>>     lmb: remove unused extern declaration
>>>>>>>>     tftp: prevent overwriting reserved memory
>>>>>>>>
>>>>>>>>    common/bootm.c     |  8 ++----
>>>>>>>>    common/image-fdt.c | 53 +++++++++++++++++++++++++++++------
>>>>>>>>    fs/fs.c            | 56
>+++++++++++++++++++++++++++++++++++--
>>>>>>>>    include/lmb.h      |  7 +++--
>>>>>>>>    lib/lmb.c          | 69
>++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>>>    net/tftp.c         | 66
>++++++++++++++++++++++++++++++++++++++------
>>>>>>>>    6 files changed, 231 insertions(+), 28 deletions(-)
>>>>>>>>
>>>>>>>> --
>>>>>>>> 2.17.1
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> U-Boot mailing list
>>>>>>>> U-Boot at lists.denx.de
>>>>>>>> https://lists.denx.de/listinfo/u-boot
>>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> U-Boot mailing list
>>>>> U-Boot at lists.denx.de
>>>>> https://lists.denx.de/listinfo/u-boot
>>>>>
>>>
>>>

More information about the U-Boot mailing list