[U-Boot] [PATCH v3 0/8] Fix CVE-2018-18440 and CVE-2018-18439
Simon Glass
sjg at chromium.org
Tue Nov 27 01:02:09 UTC 2018
Hi Simon,
On Sat, 17 Nov 2018 at 05:25, Simon Goldschmidt
<simon.k.r.goldschmidt at gmail.com> wrote:
>
> This series fixes CVE-2018-18440 ("insufficient boundary checks in
> filesystem image load") by adding restrictions to the 'load'
> command and fixes CVE-2018-18439 ("insufficient boundary checks in
> network image boot") by adding restrictions to the tftp code.
>
> The functions from lmb.c are used to setup regions of allowed and
> reserved memory. Then, the file size to load is checked against these
> addresses and loading the file is aborted if it would overwrite
> reserved memory.
>
> The memory reservation code is reused from bootm/image.
>
> Changes in v3:
> - No patch changes, but needed to resend since patman added too many cc
> addresses that gmail seemed to detect as spam :-(
>
> Changes in v2:
> - added code to reserve devicetree reserved-memory in lmb
> - added tftp fixes (patches 7 and 8)
> - fixed a bug in new function lmb_alloc_addr
>
> Simon Goldschmidt (8):
> lib: lmb: reserving overlapping regions should fail
> fdt: parse "reserved-memory" for memory reservation
> lib: lmb: extend lmb for checks at load time
> fs: prevent overwriting reserved memory
> bootm: use new common function lmb_init_and_reserve
> lmb: remove unused extern declaration
> net: remove CONFIG_MCAST_TFTP
> tftp: prevent overwriting reserved memory
>
> README | 9 --
> common/bootm.c | 8 +-
> common/image-fdt.c | 52 ++++++-
> drivers/net/rtl8139.c | 9 --
> drivers/net/tsec.c | 52 -------
> drivers/usb/gadget/ether.c | 3 -
> fs/fs.c | 56 ++++++-
> include/lmb.h | 7 +-
> include/net.h | 17 ---
> lib/lmb.c | 69 +++++++++
> net/eth-uclass.c | 4 -
> net/eth_legacy.c | 46 ------
> net/net.c | 9 +-
> net/tftp.c | 289 +++++++----------------------------
> scripts/config_whitelist.txt | 1 -
> 15 files changed, 232 insertions(+), 399 deletions(-)
This is great work, but what is missing is a test for lmb.
Regards,
Simon
More information about the U-Boot
mailing list