[U-Boot] [PATCH v7 0/9] Fix CVE-2018-18440 and CVE-2018-18439
Simon Goldschmidt
simon.k.r.goldschmidt at gmail.com
Mon Dec 17 19:48:51 UTC 2018
Am 17.12.2018 um 20:06 schrieb Simon Goldschmidt:
> This series fixes CVE-2018-18440 ("insufficient boundary checks in
> filesystem image load") by adding restrictions to the 'load'
> command and fixes CVE-2018-18439 ("insufficient boundary checks in
> network image boot") by adding restrictions to the tftp code.
> The functions from lmb.c are used to setup regions of allowed and
> reserved memory. Then, the file size to load is checked against these
> addresses and loading the file is aborted if it would overwrite
> reserved memory.
>
> The memory reservation code is reused from bootm/image.
>
> Changes in v7:
> - add braces around if/else with macros accross more than one line
> - fix compiling without CONFIG_FIT
> - fix compiling without CONFIG_LMB
Please ignore v7: I've just found an overflow bug in the ARM port of
'arch_lmb_reserve' that should go in as well. I'm preparing v8.
Regards,
Simon
>
> Changes in v6:
> - fix size of allocated regions that need alignment padding
> - fix compiling without OF_CONTROL
> - fixed NULL pointer access in 'fdt_blob' passed to
> 'boot_fdt_add_mem_rsv_regions'
>
> Changes in v5:
> - added tests for lib/lmb.c
> - fixed bug in lmb.c when ram is at the end of 32-bit address range
> - fixed a bug in lmb_alloc_addr when resulting reserved ranges get
> combined
>
> Changes in v4:
> - fixed invalid 'if' statement without braces in boot_fdt_reserve_region
> - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8
>
> Changes in v3:
> - No patch changes, but needed to resend since patman added too many cc
> addresses that gmail seemed to detect as spam :-(
>
> Changes in v2:
> - added code to reserve devicetree reserved-memory in lmb
> - added tftp fixes (patches 7 and 8)
> - fixed a bug in new function lmb_alloc_addr
>
> Simon Goldschmidt (9):
> test: add test for lib/lmb.c
> lmb: fix allocation at end of address range
> lib: lmb: reserving overlapping regions should fail
> fdt: parse "reserved-memory" for memory reservation
> lib: lmb: extend lmb for checks at load time
> fs: prevent overwriting reserved memory
> bootm: use new common function lmb_init_and_reserve
> lmb: remove unused extern declaration
> tftp: prevent overwriting reserved memory
>
> common/bootm.c | 8 +-
> common/image-fdt.c | 53 +++-
> fs/fs.c | 56 ++++-
> include/lmb.h | 7 +-
> lib/Makefile | 1 +
> lib/lmb.c | 106 ++++++--
> net/tftp.c | 73 +++++-
> test/lib/Makefile | 1 +
> test/lib/lmb.c | 601 +++++++++++++++++++++++++++++++++++++++++++++
> 9 files changed, 853 insertions(+), 53 deletions(-)
> create mode 100644 test/lib/lmb.c
>
More information about the U-Boot
mailing list