[U-Boot] [PATCH v3 0/8] Fix CVE-2018-18440 and CVE-2018-18439

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Sat Nov 17 12:24:56 UTC 2018


This series fixes CVE-2018-18440 ("insufficient boundary checks in
filesystem image load") by adding restrictions to the 'load'
command and fixes CVE-2018-18439 ("insufficient boundary checks in
network image boot") by adding restrictions to the tftp code.

The functions from lmb.c are used to setup regions of allowed and
reserved memory. Then, the file size to load is checked against these
addresses and loading the file is aborted if it would overwrite
reserved memory.

The memory reservation code is reused from bootm/image.

Changes in v3:
- No patch changes, but needed to resend since patman added too many cc
  addresses that gmail seemed to detect as spam :-(

Changes in v2:
- added code to reserve devicetree reserved-memory in lmb
- added tftp fixes (patches 7 and 8)
- fixed a bug in new function lmb_alloc_addr

Simon Goldschmidt (8):
  lib: lmb: reserving overlapping regions should fail
  fdt: parse "reserved-memory" for memory reservation
  lib: lmb: extend lmb for checks at load time
  fs: prevent overwriting reserved memory
  bootm: use new common function lmb_init_and_reserve
  lmb: remove unused extern declaration
  net: remove CONFIG_MCAST_TFTP
  tftp: prevent overwriting reserved memory

 README                       |   9 --
 common/bootm.c               |   8 +-
 common/image-fdt.c           |  52 ++++++-
 drivers/net/rtl8139.c        |   9 --
 drivers/net/tsec.c           |  52 -------
 drivers/usb/gadget/ether.c   |   3 -
 fs/fs.c                      |  56 ++++++-
 include/lmb.h                |   7 +-
 include/net.h                |  17 ---
 lib/lmb.c                    |  69 +++++++++
 net/eth-uclass.c             |   4 -
 net/eth_legacy.c             |  46 ------
 net/net.c                    |   9 +-
 net/tftp.c                   | 289 +++++++----------------------------
 scripts/config_whitelist.txt |   1 -
 15 files changed, 232 insertions(+), 399 deletions(-)

-- 
2.17.1



More information about the U-Boot mailing list