[U-Boot] [U-Boot, v10, 09/10] tftp: prevent overwriting reserved memory

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Jan 26 13:25:54 UTC 2019


On 1/26/19 10:56 AM, Heinrich Schuchardt wrote:
> On 1/26/19 9:46 AM, Simon Goldschmidt wrote:
>> Am 26.01.2019 um 04:20 schrieb Heinrich Schuchardt:
>>> TheOn 1/14/19 10:38 PM, Simon Goldschmidt wrote:
>>>> This fixes CVE-2018-18439 ("insufficient boundary checks in network
>>>> image boot") by using lmb to check for a valid range to store
>>>> received blocks.
>>>>
>>>> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
>>>> Acked-by: Joe Hershberger <joe.hershberger at ni.com>
>>>> ---
>>>
>>> Hello Simon,
>>>
>>> due to this patch merged as a156c47e39ad7d00 on
>>> vexpress_ca15_tc2_defconfig the command 'dhcp filename' always fails. It
>>> was working in v2019.01
>>>
>>> Same is true for other platforms, e.g. vexpress_ca9x4_defconfig.
>>
>> OK, that's probably not expected ;-)
>>
>> I'd appreciate it if you could continue to track this down to get it fixed.
> 
> Let's see how far I get.

bdinfo shows:

DRAM bank   = 0x00000000
-> start    = 0x80000000
-> size     = 0x20000000
DRAM bank   = 0x00000001
-> start    = 0xa0000000
-> size     = 0x20000000

printenv:
loadaddr=0xa0008000

So the load address is in the second DRAM bank.

I guess we need changes in the following places:

t/tftp.c:609: lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
fs/fs.c:456:    lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
common/bootm.c:62:      lmb_init_and_reserve(&images->lmb,
(phys_addr_t)mem_start, mem_size,

I wonder why bootm.c is different and why isn't the fdt considered?

I would suggest the following:

Remove parameter lmb from lmb_get_unreserved_size(). Instead let
lmb_get_unreserved_size() check if a static struct lmb in lib/lmb.c is
initialized. If not use the different DRAM banks and the fdt for
initialization.

Best regards

Heinrich


More information about the U-Boot mailing list