[U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Fri Nov 9 06:11:36 UTC 2018


On Fri, Nov 9, 2018 at 1:37 AM Fabio Estevam <festevam at gmail.com> wrote:
>
> Hi Andrea,
>
> On Tue, Nov 6, 2018 at 12:57 PM Andrea Barisani
> <andrea.barisani at f-secure.com> wrote:
>
> > # load large file
> > => ext2load mmc 0 0x60000000 fitimage.itb
>
> Does this change work for you?
> http://dark-code.bulix.org/u6gw3b-499924

My understanding was U-Boot text or stack could get overwritten which
leads to the loaded bytes being executed as code.
So you would have to check that the loaded range is within ram but not
within that reserved range of code or stack (or heap).

Getting this reserved range is what 'boot_start_lmb' does (in
bootm.c). Maybe this code can be refactored and reused in fs.c to get
a valid range for loading?

Additionally, your patch checks the loaded file's size without taking
the load address into account. So unless I read that wrong, your check
is only valid for 'addr == 0'.
Plus, the 'bytes' parameter should probably be a restriction to the
file's size when checking for a valid load range.

Simon


More information about the U-Boot mailing list