[U-Boot] [PATCH v7 0/9] Fix CVE-2018-18440 and CVE-2018-18439

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Mon Dec 17 19:48:51 UTC 2018 

Am 17.12.2018 um 20:06 schrieb Simon Goldschmidt:
> This series fixes CVE-2018-18440 ("insufficient boundary checks in
> filesystem image load") by adding restrictions to the 'load'
> command and fixes CVE-2018-18439 ("insufficient boundary checks in
> network image boot") by adding restrictions to the tftp code.
> The functions from lmb.c are used to setup regions of allowed and
> reserved memory. Then, the file size to load is checked against these
> addresses and loading the file is aborted if it would overwrite
> reserved memory.
> 
> The memory reservation code is reused from bootm/image.
> 
> Changes in v7:
> - add braces around if/else with macros accross more than one line
> - fix compiling without CONFIG_FIT
> - fix compiling without CONFIG_LMB

Please ignore v7: I've just found an overflow bug in the ARM port of 
'arch_lmb_reserve' that should go in as well. I'm preparing v8.

Regards,
Simon

> 
> Changes in v6:
> - fix size of allocated regions that need alignment padding
> - fix compiling without OF_CONTROL
> - fixed NULL pointer access in 'fdt_blob' passed to
>    'boot_fdt_add_mem_rsv_regions'
> 
> Changes in v5:
> - added tests for lib/lmb.c
> - fixed bug in lmb.c when ram is at the end of 32-bit address range
> - fixed a bug in lmb_alloc_addr when resulting reserved ranges get
>    combined
> 
> Changes in v4:
> - fixed invalid 'if' statement without braces in boot_fdt_reserve_region
> - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8
> 
> Changes in v3:
> - No patch changes, but needed to resend since patman added too many cc
>    addresses that gmail seemed to detect as spam :-(
> 
> Changes in v2:
> - added code to reserve devicetree reserved-memory in lmb
> - added tftp fixes (patches 7 and 8)
> - fixed a bug in new function lmb_alloc_addr
> 
> Simon Goldschmidt (9):
>    test: add test for lib/lmb.c
>    lmb: fix allocation at end of address range
>    lib: lmb: reserving overlapping regions should fail
>    fdt: parse "reserved-memory" for memory reservation
>    lib: lmb: extend lmb for checks at load time
>    fs: prevent overwriting reserved memory
>    bootm: use new common function lmb_init_and_reserve
>    lmb: remove unused extern declaration
>    tftp: prevent overwriting reserved memory
> 
>   common/bootm.c     |   8 +-
>   common/image-fdt.c |  53 +++-
>   fs/fs.c            |  56 ++++-
>   include/lmb.h      |   7 +-
>   lib/Makefile       |   1 +
>   lib/lmb.c          | 106 ++++++--
>   net/tftp.c         |  73 +++++-
>   test/lib/Makefile  |   1 +
>   test/lib/lmb.c     | 601 +++++++++++++++++++++++++++++++++++++++++++++
>   9 files changed, 853 insertions(+), 53 deletions(-)
>   create mode 100644 test/lib/lmb.c
>

More information about the U-Boot mailing list