[U-Boot] [PATCH v3 0/8] Fix CVE-2018-18440 and CVE-2018-18439
Simon Goldschmidt
simon.k.r.goldschmidt at gmail.com
Sat Nov 17 12:24:56 UTC 2018
This series fixes CVE-2018-18440 ("insufficient boundary checks in
filesystem image load") by adding restrictions to the 'load'
command and fixes CVE-2018-18439 ("insufficient boundary checks in
network image boot") by adding restrictions to the tftp code.
The functions from lmb.c are used to setup regions of allowed and
reserved memory. Then, the file size to load is checked against these
addresses and loading the file is aborted if it would overwrite
reserved memory.
The memory reservation code is reused from bootm/image.
Changes in v3:
- No patch changes, but needed to resend since patman added too many cc
addresses that gmail seemed to detect as spam :-(
Changes in v2:
- added code to reserve devicetree reserved-memory in lmb
- added tftp fixes (patches 7 and 8)
- fixed a bug in new function lmb_alloc_addr
Simon Goldschmidt (8):
lib: lmb: reserving overlapping regions should fail
fdt: parse "reserved-memory" for memory reservation
lib: lmb: extend lmb for checks at load time
fs: prevent overwriting reserved memory
bootm: use new common function lmb_init_and_reserve
lmb: remove unused extern declaration
net: remove CONFIG_MCAST_TFTP
tftp: prevent overwriting reserved memory
README | 9 --
common/bootm.c | 8 +-
common/image-fdt.c | 52 ++++++-
drivers/net/rtl8139.c | 9 --
drivers/net/tsec.c | 52 -------
drivers/usb/gadget/ether.c | 3 -
fs/fs.c | 56 ++++++-
include/lmb.h | 7 +-
include/net.h | 17 ---
lib/lmb.c | 69 +++++++++
net/eth-uclass.c | 4 -
net/eth_legacy.c | 46 ------
net/net.c | 9 +-
net/tftp.c | 289 +++++++----------------------------
scripts/config_whitelist.txt | 1 -
15 files changed, 232 insertions(+), 399 deletions(-)
--
2.17.1
More information about the U-Boot
mailing list