[U-Boot] [PATCH v3 0/8] Fix CVE-2018-18440 and CVE-2018-18439

Simon Glass sjg at chromium.org
Tue Nov 27 01:02:09 UTC 2018 

Hi Simon,

On Sat, 17 Nov 2018 at 05:25, Simon Goldschmidt
<simon.k.r.goldschmidt at gmail.com> wrote:
>
> This series fixes CVE-2018-18440 ("insufficient boundary checks in
> filesystem image load") by adding restrictions to the 'load'
> command and fixes CVE-2018-18439 ("insufficient boundary checks in
> network image boot") by adding restrictions to the tftp code.
>
> The functions from lmb.c are used to setup regions of allowed and
> reserved memory. Then, the file size to load is checked against these
> addresses and loading the file is aborted if it would overwrite
> reserved memory.
>
> The memory reservation code is reused from bootm/image.
>
> Changes in v3:
> - No patch changes, but needed to resend since patman added too many cc
>   addresses that gmail seemed to detect as spam :-(
>
> Changes in v2:
> - added code to reserve devicetree reserved-memory in lmb
> - added tftp fixes (patches 7 and 8)
> - fixed a bug in new function lmb_alloc_addr
>
> Simon Goldschmidt (8):
>   lib: lmb: reserving overlapping regions should fail
>   fdt: parse "reserved-memory" for memory reservation
>   lib: lmb: extend lmb for checks at load time
>   fs: prevent overwriting reserved memory
>   bootm: use new common function lmb_init_and_reserve
>   lmb: remove unused extern declaration
>   net: remove CONFIG_MCAST_TFTP
>   tftp: prevent overwriting reserved memory
>
>  README                       |   9 --
>  common/bootm.c               |   8 +-
>  common/image-fdt.c           |  52 ++++++-
>  drivers/net/rtl8139.c        |   9 --
>  drivers/net/tsec.c           |  52 -------
>  drivers/usb/gadget/ether.c   |   3 -
>  fs/fs.c                      |  56 ++++++-
>  include/lmb.h                |   7 +-
>  include/net.h                |  17 ---
>  lib/lmb.c                    |  69 +++++++++
>  net/eth-uclass.c             |   4 -
>  net/eth_legacy.c             |  46 ------
>  net/net.c                    |   9 +-
>  net/tftp.c                   | 289 +++++++----------------------------
>  scripts/config_whitelist.txt |   1 -
>  15 files changed, 232 insertions(+), 399 deletions(-)

This is great work, but what is missing is a test for lmb.

Regards,
Simon

More information about the U-Boot mailing list