[U-Boot] [PATCH v6 6/9] fs: prevent overwriting reserved memory

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Mon Jan 14 15:15:15 UTC 2019


On Sat, Jan 5, 2019 at 2:56 AM Simon Glass <sjg at chromium.org> wrote:
>
> Hi Simon,
>
> On Fri, 14 Dec 2018 at 13:14, Simon Goldschmidt
> <simon.k.r.goldschmidt at gmail.com> wrote:
> >
> > This fixes CVE-2018-18440 ("insufficient boundary checks in filesystem
> > image load") by using lmb to check the load size of a file against
> > reserved memory addresses.
> >
> > Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
> > ---
> >
> > Changes in v6:
> > - fixed NULL pointer access in 'fdt_blob' passed to
> >   'boot_fdt_add_mem_rsv_regions'
> >
> > Changes in v5: None
> > Changes in v4: None
> > Changes in v2: None
> >
> >  fs/fs.c       | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---
> >  include/lmb.h |  2 ++
> >  lib/lmb.c     | 13 ++++++++++++
> >  3 files changed, 68 insertions(+), 3 deletions(-)
>
> Reviewed-by: Simon Glass <sjg at chromium.org>
>
> How about -ENOSPC instead of -1?

You mean in fs_read_lmb_check()? That would probably a good idea.

Not that you were replying to an old version, I had sent out v9 on 12/19/2018.
There's still -1 in there however. I'll send a v10 that fixes this.

Regards,
Simon


More information about the U-Boot mailing list