[U-Boot] [PATCH v3 0/8] Fix CVE-2018-18440 and CVE-2018-18439
Simon Goldschmidt
simon.k.r.goldschmidt at gmail.com
Mon Dec 3 07:50:34 UTC 2018
Simon,
On Tue, Nov 27, 2018 at 6:45 AM Simon Goldschmidt
<simon.k.r.goldschmidt at gmail.com> wrote:
>
> On Tue, Nov 27, 2018 at 2:02 AM Simon Glass <sjg at chromium.org> wrote:
> >
> > Hi Simon,
> >
> > On Sat, 17 Nov 2018 at 05:25, Simon Goldschmidt
> > <simon.k.r.goldschmidt at gmail.com> wrote:
> > >
> > > This series fixes CVE-2018-18440 ("insufficient boundary checks in
> > > filesystem image load") by adding restrictions to the 'load'
> > > command and fixes CVE-2018-18439 ("insufficient boundary checks in
> > > network image boot") by adding restrictions to the tftp code.
> > >
> > > The functions from lmb.c are used to setup regions of allowed and
> > > reserved memory. Then, the file size to load is checked against these
> > > addresses and loading the file is aborted if it would overwrite
> > > reserved memory.
> > >
> > > The memory reservation code is reused from bootm/image.
> > >
> > > Changes in v3:
> > > - No patch changes, but needed to resend since patman added too many cc
> > > addresses that gmail seemed to detect as spam :-(
> > >
> > > Changes in v2:
> > > - added code to reserve devicetree reserved-memory in lmb
> > > - added tftp fixes (patches 7 and 8)
> > > - fixed a bug in new function lmb_alloc_addr
> > >
> > > Simon Goldschmidt (8):
> > > lib: lmb: reserving overlapping regions should fail
> > > fdt: parse "reserved-memory" for memory reservation
> > > lib: lmb: extend lmb for checks at load time
> > > fs: prevent overwriting reserved memory
> > > bootm: use new common function lmb_init_and_reserve
> > > lmb: remove unused extern declaration
> > > net: remove CONFIG_MCAST_TFTP
> > > tftp: prevent overwriting reserved memory
> > >
> > > README | 9 --
> > > common/bootm.c | 8 +-
> > > common/image-fdt.c | 52 ++++++-
> > > drivers/net/rtl8139.c | 9 --
> > > drivers/net/tsec.c | 52 -------
> > > drivers/usb/gadget/ether.c | 3 -
> > > fs/fs.c | 56 ++++++-
> > > include/lmb.h | 7 +-
> > > include/net.h | 17 ---
> > > lib/lmb.c | 69 +++++++++
> > > net/eth-uclass.c | 4 -
> > > net/eth_legacy.c | 46 ------
> > > net/net.c | 9 +-
> > > net/tftp.c | 289 +++++++----------------------------
> > > scripts/config_whitelist.txt | 1 -
> > > 15 files changed, 232 insertions(+), 399 deletions(-)
> >
> > This is great work, but what is missing is a test for lmb.
>
> Yeah, well, the tests didn't work on my system and I figured it's
> better to get the code fixed than to use my time on trying to get the
> tests running.
>
> However, after searching for the required packages and fiddling around
> some more, I guess I made them work so I could add tests now...
>
> I also have work-in-progress for compressing fit image contents (we
> currently only support uncompressing the kernel). It will switch some
> 'lmb_reserve' calls to the new 'lmb_alloc_addr' as this is more safe.
> Maybe I can combine the tests in that series?
After managing to get the tests to run via 'make qcheck' (and 'make
tests'; had to install much more than listed in 'test/py/README.md'),
I tried to add tests to 'test/lib/' (next to hexdump.c), but I failed
to get them run. Even chaning 'test/lib/hexdump.c' to fail did not
produce errors. Are these tests not included in 'make qcheck'?
Regards,
Simon
More information about the U-Boot
mailing list