[U-Boot] [PATCH v9 00/10] Fix CVE-2018-18440 and CVE-2018-18439

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Wed Dec 19 18:59:59 UTC 2018


This series fixes CVE-2018-18440 ("insufficient boundary checks in
filesystem image load") by adding restrictions to the 'load'
command and fixes CVE-2018-18439 ("insufficient boundary checks in
network image boot") by adding restrictions to the tftp code.
The functions from lmb.c are used to setup regions of allowed and
reserved memory. Then, the file size to load is checked against these
addresses and loading the file is aborted if it would overwrite
reserved memory.

The memory reservation code is reused from bootm/image.

Changes in v9:
- fixed compile error in patch 10/10 (in arch/arm/lib/bootm.c)

Changes in v8:
- fix address overflow in 'arch_lmb_reserve' for ARM

Changes in v7:
- add braces around if/else with macros accross more than one line
- fix compiling without CONFIG_FIT
- fix compiling without CONFIG_LMB

Changes in v6:
- fix size of allocated regions that need alignment padding
- fix compiling without OF_CONTROL
- fixed NULL pointer access in 'fdt_blob' passed to
  'boot_fdt_add_mem_rsv_regions'

Changes in v5:
- added tests for lib/lmb.c
- fixed bug in lmb.c when ram is at the end of 32-bit address range
- fixed a bug in lmb_alloc_addr when resulting reserved ranges get
  combined

Changes in v4:
- fixed invalid 'if' statement without braces in boot_fdt_reserve_region
- removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8

Changes in v3:
- No patch changes, but needed to resend since patman added too many cc
  addresses that gmail seemed to detect as spam :-(

Changes in v2:
- added code to reserve devicetree reserved-memory in lmb
- added tftp fixes (patches 7 and 8)
- fixed a bug in new function lmb_alloc_addr

Simon Goldschmidt (10):
  test: add test for lib/lmb.c
  lmb: fix allocation at end of address range
  lib: lmb: reserving overlapping regions should fail
  fdt: parse "reserved-memory" for memory reservation
  lib: lmb: extend lmb for checks at load time
  fs: prevent overwriting reserved memory
  bootm: use new common function lmb_init_and_reserve
  lmb: remove unused extern declaration
  tftp: prevent overwriting reserved memory
  arm: bootm: fix sp detection at end of address range

 arch/arm/lib/bootm.c |  10 +-
 common/bootm.c       |   8 +-
 common/image-fdt.c   |  53 +++-
 fs/fs.c              |  56 +++-
 include/lmb.h        |   7 +-
 lib/Makefile         |   1 +
 lib/lmb.c            | 106 ++++++--
 net/tftp.c           |  73 +++++-
 test/lib/Makefile    |   1 +
 test/lib/lmb.c       | 601 +++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 859 insertions(+), 57 deletions(-)
 create mode 100644 test/lib/lmb.c

-- 
2.17.1



More information about the U-Boot mailing list