[U-Boot] [U-Boot, v10, 09/10] tftp: prevent overwriting reserved memory
Heinrich Schuchardt
xypron.glpk at gmx.de
Sat Jan 26 13:25:54 UTC 2019
On 1/26/19 10:56 AM, Heinrich Schuchardt wrote:
> On 1/26/19 9:46 AM, Simon Goldschmidt wrote:
>> Am 26.01.2019 um 04:20 schrieb Heinrich Schuchardt:
>>> TheOn 1/14/19 10:38 PM, Simon Goldschmidt wrote:
>>>> This fixes CVE-2018-18439 ("insufficient boundary checks in network
>>>> image boot") by using lmb to check for a valid range to store
>>>> received blocks.
>>>>
>>>> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
>>>> Acked-by: Joe Hershberger <joe.hershberger at ni.com>
>>>> ---
>>>
>>> Hello Simon,
>>>
>>> due to this patch merged as a156c47e39ad7d00 on
>>> vexpress_ca15_tc2_defconfig the command 'dhcp filename' always fails. It
>>> was working in v2019.01
>>>
>>> Same is true for other platforms, e.g. vexpress_ca9x4_defconfig.
>>
>> OK, that's probably not expected ;-)
>>
>> I'd appreciate it if you could continue to track this down to get it fixed.
>
> Let's see how far I get.
bdinfo shows:
DRAM bank = 0x00000000
-> start = 0x80000000
-> size = 0x20000000
DRAM bank = 0x00000001
-> start = 0xa0000000
-> size = 0x20000000
printenv:
loadaddr=0xa0008000
So the load address is in the second DRAM bank.
I guess we need changes in the following places:
t/tftp.c:609: lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
fs/fs.c:456: lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
common/bootm.c:62: lmb_init_and_reserve(&images->lmb,
(phys_addr_t)mem_start, mem_size,
I wonder why bootm.c is different and why isn't the fdt considered?
I would suggest the following:
Remove parameter lmb from lmb_get_unreserved_size(). Instead let
lmb_get_unreserved_size() check if a static struct lmb in lib/lmb.c is
initialized. If not use the different DRAM banks and the fdt for
initialization.
Best regards
Heinrich
More information about the U-Boot
mailing list