[U-Boot] [PATCH v3 0/8] Fix CVE-2018-18440 and CVE-2018-18439

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Tue Nov 27 05:45:09 UTC 2018 

On Tue, Nov 27, 2018 at 2:02 AM Simon Glass <sjg at chromium.org> wrote:
>
> Hi Simon,
>
> On Sat, 17 Nov 2018 at 05:25, Simon Goldschmidt
> <simon.k.r.goldschmidt at gmail.com> wrote:
> >
> > This series fixes CVE-2018-18440 ("insufficient boundary checks in
> > filesystem image load") by adding restrictions to the 'load'
> > command and fixes CVE-2018-18439 ("insufficient boundary checks in
> > network image boot") by adding restrictions to the tftp code.
> >
> > The functions from lmb.c are used to setup regions of allowed and
> > reserved memory. Then, the file size to load is checked against these
> > addresses and loading the file is aborted if it would overwrite
> > reserved memory.
> >
> > The memory reservation code is reused from bootm/image.
> >
> > Changes in v3:
> > - No patch changes, but needed to resend since patman added too many cc
> >   addresses that gmail seemed to detect as spam :-(
> >
> > Changes in v2:
> > - added code to reserve devicetree reserved-memory in lmb
> > - added tftp fixes (patches 7 and 8)
> > - fixed a bug in new function lmb_alloc_addr
> >
> > Simon Goldschmidt (8):
> >   lib: lmb: reserving overlapping regions should fail
> >   fdt: parse "reserved-memory" for memory reservation
> >   lib: lmb: extend lmb for checks at load time
> >   fs: prevent overwriting reserved memory
> >   bootm: use new common function lmb_init_and_reserve
> >   lmb: remove unused extern declaration
> >   net: remove CONFIG_MCAST_TFTP
> >   tftp: prevent overwriting reserved memory
> >
> >  README                       |   9 --
> >  common/bootm.c               |   8 +-
> >  common/image-fdt.c           |  52 ++++++-
> >  drivers/net/rtl8139.c        |   9 --
> >  drivers/net/tsec.c           |  52 -------
> >  drivers/usb/gadget/ether.c   |   3 -
> >  fs/fs.c                      |  56 ++++++-
> >  include/lmb.h                |   7 +-
> >  include/net.h                |  17 ---
> >  lib/lmb.c                    |  69 +++++++++
> >  net/eth-uclass.c             |   4 -
> >  net/eth_legacy.c             |  46 ------
> >  net/net.c                    |   9 +-
> >  net/tftp.c                   | 289 +++++++----------------------------
> >  scripts/config_whitelist.txt |   1 -
> >  15 files changed, 232 insertions(+), 399 deletions(-)
>
> This is great work, but what is missing is a test for lmb.

Yeah, well, the tests didn't work on my system and I figured it's
better to get the code fixed than to use my time on trying to get the
tests running.

However, after searching for the required packages and fiddling around
some more, I guess I made them work so I could add tests now...

I also have work-in-progress for compressing fit image contents (we
currently only support uncompressing the kernel). It will switch some
'lmb_reserve' calls to the new 'lmb_alloc_addr' as this is more safe.
Maybe I can combine the tests in that series?

Regards,
Simon

More information about the U-Boot mailing list