[U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities

Wolfgang Denk wd at denx.de
Mon Nov 12 08:00:17 UTC 2018


Dear Heinrich,

In message <450f8b6e-b2c0-0a5f-14e0-50c58103aec5 at gmx.de> you wrote:
>
> > I think this is not that complicated.  At least in standard U-Boot
> > (not speaking for SPL) it should be sufficient to check the current
> > stack pointer (which is easy to read) and take this a upper limit of
> > available/allowed memory. If we add some reasonable safety margin
> > (say, 1 MB or so) we should be really safe.
> 
> Unfortunately this does not hold true. E.g. the Odroid-C2 has the secure
> monitor in the middle of the RAM. You would not want to overwrite those
> addresses.

Urgh... Is there a (technical, say hardware) reason for such a
unlucky design?  Who would willingly fragment memory like that?

> For a board with a device tree all reserved memory areas should be
> secured against overwriting.

True.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
The first 90% of a project takes 90% of the time, the last 10%  takes
the other 90% of the time.


More information about the U-Boot mailing list