[U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Wed Dec 5 14:25:49 UTC 2018 

Am 05.12.2018 um 15:20 schrieb Frank Wunderlich:
> Hi Simon,
> 
> have you any new infos here? last discussion is for v3...

I'm working on it. The bug you get is in lmb.c (and has been there for a 
long time). It is rather hidden by the way the lmb functions are used 
when booting, but it shows in my new usage.

I'll post v4 soon, hopefully.

Regards,
Simon

> 
> regards Frank
> 
>> Gesendet: Sonntag, 02. Dezember 2018 um 18:44 Uhr
>> Von: "Frank Wunderlich" <frank-w at public-files.de>
>> An: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>> Cc: u-boot at lists.denx.de
>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and CVE-2018-18439
>>
>> Right, i test on bananapi-r2. 2gb ram with 0x80000000 base-adress
>>
>> Seems you need (unsigned) int64 for calculations
>>
>> Am 2. Dezember 2018 18:14:19 MEZ schrieb Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>:
>>> Am 02.12.2018 um 16:48 schrieb Frank Wunderlich:
>>>> lmb_init: base: 0x80000000, size: 0x80000000
>>>
>>> Ok, so I don't know your board, is that correct? Do you have 2 GByte
>>> starting at 0x80000000?
>>>
>>> If so, that would result in an overflow to 0 on a 32-bit platform and
>>> would explain why it doesn't work.
>>>
>>> This is a perfect input for a test case :-)
>>>
>>> Thanks,
>>> Simon
>>>
>>>>
>>>>
>>> https://github.com/frank-w/u-boot/commit/e0763252a8e135f00b996fbda7bb1067a192ca53
>>>>
>>>> Regards Frank
>>>>
>>>>> Gesendet: Sonntag, 02. Dezember 2018 um 10:24 Uhr
>>>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>> An: "Frank Wunderlich" <frank-w at public-files.de>
>>>>> Cc: u-boot at lists.denx.de
>>>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>>> CVE-2018-18439
>>>>>
>>>>> Am 01.12.2018 um 12:07 schrieb Frank Wunderlich:
>>>>>> forgot error-message and detailed command:
>>>>>>
>>>>>> fatload ${device} ${partition} ${scriptaddr}
>>> ${bpi}/${board}/${service}/${bootenv}
>>>>>> ** Reading file would overwrite reserved memory **
>>>>>> echo ${device} ${partition} ${scriptaddr}
>>> ${bpi}/${board}/${service}/${bootenv}
>>>>>> mmc 1:1 0x83000000 bananapi/bpi-r2/linux/uEnv.txt
>>>>>>
>>>>>> file exists i checked with test, but fatload failed, after
>>> reverting the Patches same command works
>>>>>
>>>>> Hmm, ok. With your configuration, I thought
>>> 'gd->bd->bi_dram[0].start'
>>>>> and 'gd->bd->bi_dram[0].size' should be populated and correctly
>>> describe
>>>>> your DRAM.
>>>>>
>>>>> Could you try adding this printf code to the function
>>>>> 'lmb_init_and_reserve':
>>>>>
>>>>> 	printf("lmb_init: base: 0x%x, size: 0x%x\n", base, size);
>>>>>
>>>>> and check if this correctly describes your memory?
>>>>>
>>>>> Thanks,
>>>>> Simon
>>>>>
>>>>>>
>>>>>> regards Frank
>>>>>>
>>>>>>> Gesendet: Samstag, 01. Dezember 2018 um 10:46 Uhr
>>>>>>> Von: "Frank Wunderlich" <frank-w at public-files.de>
>>>>>>> An: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>>>> Cc: u-boot at lists.denx.de
>>>>>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>>> CVE-2018-18439
>>>>>>>
>>>>>>> Hi Simon
>>>>>>>
>>>>>>> #define CONFIG_SYS_SDRAM_BASE		0x80000000
>>>>>>>
>>>>>>>
>>> https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/include/configs/mt7623.h#L47
>>>>>>>
>>>>>>> CONFIG_ARM=y
>>>>>>> CONFIG_NR_DRAM_BANKS=1
>>>>>>>
>>> https://github.com/frank-w/u-boot/blob/a6d0c3f8e992a2e428f05443647fe9f5b13f8634/configs/mt7623n_bpir2_defconfig#L7
>>>>>>>
>>>>>>> i applied the patch-series on top of my 2018-11 final (currently
>>> removed from github)
>>>>>>>
>>>>>>> https://github.com/frank-w/u-boot/tree/bpi-r2_v5
>>>>>>>
>>>>>>> tried ${scriptaddr}=0x83000000
>>>>>>>
>>>>>>> here the fatload-command:
>>>>>>>
>>>>>>>
>>> https://github.com/frank-w/u-boot/blob/60bc4075c7744e36058fcba76cd6e6c3a4002265/uEnv.txt#L22
>>>>>>>
>>>>>>> working before, 0x81000000 and some higher values
>>>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>> regards Frank
>>>>>>>
>>>>>>>> Gesendet: Samstag, 01. Dezember 2018 um 10:25 Uhr
>>>>>>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>>>>> An: "Frank Wunderlich" <frank-w at public-files.de>
>>>>>>>> Cc: "U-Boot Mailing List" <u-boot at lists.denx.de>
>>>>>>>> Betreff: Re: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>>> CVE-2018-18439
>>>>>>>>
>>>>>>>> On Fri, Nov 30, 2018 at 6:51 PM Frank Wunderlich
>>>>>>>> <frank-w at public-files.de> wrote:
>>>>>>>>>
>>>>>>>>> Hi Simon,
>>>>>>>>>
>>>>>>>>> after applying these Patch-series i cannot load to any address
>>> (fatload). Do i need any additional Patch ("fdt: parse
>>> "reserved-memory" for memory reservation" sounds like that). Maybe
>>> there should be a fallback if no reservation is defined.
>>>>>>>>
>>>>>>>> No, you should not need additional patches. The code makes use of
>>>>>>>> "lmb" memory allocation just like the "bootm" code does. The
>>> "memory
>>>>>>>> reservation" patch you cited only ensures that memory which is
>>> marked
>>>>>>>> as reserved in the fdt cannot be overwritten by load.
>>>>>>>>
>>>>>>>> If it doesn't work for you at all, the available memory is
>>> probably
>>>>>>>> not described correctly. Could you check the values of the
>>> following
>>>>>>>> defines (or if they are defined at all):
>>>>>>>> - CONFIG_SYS_SDRAM_BASE
>>>>>>>> - CONFIG_ARM
>>>>>>>> - CONFIG_NR_DRAM_BANKS
>>>>>>>>
>>>>>>>> I might need to improve the DRAM detection code in v5 (which is
>>> still
>>>>>>>> pending as I am working on lmb tests).
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Simon
>>>>>>>>
>>>>>>>>>
>>>>>>>>> regards Frank
>>>>>>>>>
>>>>>>>>>> Gesendet: Samstag, 24. November 2018 um 15:11 Uhr
>>>>>>>>>> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
>>>>>>>>>> An: "Tom Rini" <trini at konsulko.com>, u-boot at lists.denx.de, "Joe
>>> Hershberger" <joe.hershberger at ni.com>
>>>>>>>>>> Cc: "Alexey Brodkin" <Alexey.Brodkin at synopsys.com>, "Heinrich
>>> Schuchardt" <xypron.glpk at gmx.de>, "Michal Simek"
>>> <michal.simek at xilinx.com>, "Alexander Graf" <agraf at suse.de>, "Andrea
>>> Barisani" <andrea.barisani at f-secure.com>
>>>>>>>>>> Betreff: [U-Boot] [PATCH v4 0/7] Fix CVE-2018-18440 and
>>> CVE-2018-18439
>>>>>>>>>>
>>>>>>>>>> This series fixes CVE-2018-18440 ("insufficient boundary checks
>>> in
>>>>>>>>>> filesystem image load") by adding restrictions to the 'load'
>>>>>>>>>> command and fixes CVE-2018-18439 ("insufficient boundary checks
>>> in
>>>>>>>>>> network image boot") by adding restrictions to the tftp code.
>>>>>>>>>> The functions from lmb.c are used to setup regions of allowed
>>> and
>>>>>>>>>> reserved memory. Then, the file size to load is checked against
>>> these
>>>>>>>>>> addresses and loading the file is aborted if it would overwrite
>>>>>>>>>> reserved memory.
>>>>>>>>>>
>>>>>>>>>> The memory reservation code is reused from bootm/image.
>>>>>>>>>>
>>>>>>>>>> Changes in v4:
>>>>>>>>>> - fixed invalid 'if' statement without braces in
>>> boot_fdt_reserve_region
>>>>>>>>>> - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted
>>> patch 8
>>>>>>>>>>
>>>>>>>>>> Changes in v3:
>>>>>>>>>> - No patch changes, but needed to resend since patman added too
>>> many cc
>>>>>>>>>>      addresses that gmail seemed to detect as spam :-(
>>>>>>>>>>
>>>>>>>>>> Changes in v2:
>>>>>>>>>> - added code to reserve devicetree reserved-memory in lmb
>>>>>>>>>> - added tftp fixes (patches 7 and 8)
>>>>>>>>>> - fixed a bug in new function lmb_alloc_addr
>>>>>>>>>>
>>>>>>>>>> Simon Goldschmidt (7):
>>>>>>>>>>      lib: lmb: reserving overlapping regions should fail
>>>>>>>>>>      fdt: parse "reserved-memory" for memory reservation
>>>>>>>>>>      lib: lmb: extend lmb for checks at load time
>>>>>>>>>>      fs: prevent overwriting reserved memory
>>>>>>>>>>      bootm: use new common function lmb_init_and_reserve
>>>>>>>>>>      lmb: remove unused extern declaration
>>>>>>>>>>      tftp: prevent overwriting reserved memory
>>>>>>>>>>
>>>>>>>>>>     common/bootm.c     |  8 ++----
>>>>>>>>>>     common/image-fdt.c | 53 +++++++++++++++++++++++++++++------
>>>>>>>>>>     fs/fs.c            | 56
>>> +++++++++++++++++++++++++++++++++++--
>>>>>>>>>>     include/lmb.h      |  7 +++--
>>>>>>>>>>     lib/lmb.c          | 69
>>> ++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>>>>>     net/tftp.c         | 66
>>> ++++++++++++++++++++++++++++++++++++++------
>>>>>>>>>>     6 files changed, 231 insertions(+), 28 deletions(-)
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> 2.17.1
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> U-Boot mailing list
>>>>>>>>>> U-Boot at lists.denx.de
>>>>>>>>>> https://lists.denx.de/listinfo/u-boot
>>>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> U-Boot mailing list
>>>>>>> U-Boot at lists.denx.de
>>>>>>> https://lists.denx.de/listinfo/u-boot
>>>>>>>
>>>>>
>>>>>
>>

More information about the U-Boot mailing list