| Message ID | 20181217200830.32585-11-simon.k.r.goldschmidt@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Fix CVE-2018-18440 and CVE-2018-18439 | expand |
On 12/17/18 1:08 PM, Simon Goldschmidt wrote: > This fixes 'arch_lmb_reserve()' for ARM that tries to detect in which > DRAM bank 'sp' is in. > > This code failed if a bank was at the end of physical address range > (i.e. size + length overflowed to 0). > > To fix this, calculate 'bank_end' as 'size + length - 1' so that such > banks end at 0xffffffff, not 0. > > Fixes: 15751403b6 ("ARM: bootm: don't assume sp is in DRAM bank 0") > Reported-by: Frank Wunderlich <frank-w@public-files.de> > Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> This patch, Reviewed-by: Stephen Warren <swarren@nvidia.com>
Hi,
seems that Patch0 does not receive Mailinglist and my answer to it got blocked...
i get:
arch/arm/lib/bootm.c: In function ‘arch_lmb_reserve’:
arch/arm/lib/bootm.c:67:8: error: ‘bi_dram’ undeclared (first use in this function); did you mean ‘blk_dread’?
if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start)
^~~~~~~
blk_dread
which i fixed this way:
diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
index e9a333af0e..48bb41249e 100644
--- a/arch/arm/lib/bootm.c
+++ b/arch/arm/lib/bootm.c
@@ -64,7 +64,7 @@ void arch_lmb_reserve(struct lmb *lmb)
/* adjust sp by 4K to be safe */
sp -= 4096;
for (bank = 0; bank < CONFIG_NR_DRAM_BANKS; bank++) {
- if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start)
+ if (!gd->bd->bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start)
continue;
/* Watch out for RAM at end of address space! */
bank_end = gd->bd->bi_dram[bank].start +
after that at least sp_start is protected
U-Boot> bd
arch_number = 0x00000000
boot_params = 0x80000100
DRAM bank = 0x00000000
-> start = 0x80000000
-> size = 0x80000000
current eth = unknown
ip_addr = <NULL>
baudrate = 115200 bps
TLB addr = 0xFFFF0000
relocaddr = 0xFFF9C000
reloc off = 0x7E19C000
irq_sp = 0xFFB9AED0
sp start = 0xFFB9AEC0
Early malloc usage: 318 / 4000
fdt_blob = fffd0be0
U-Boot> setenv scriptaddr 0xFFB9AEC0
U-Boot> fatload ${device} ${partition} ${scriptaddr} ${bpi}/${board}/${service}/${bootenv};
** Reading file would overwrite reserved memory **
same with relocaddr -x
U-Boot> setenv scriptaddr 0xFFF9BF00
U-Boot> fatload ${device} ${partition} ${scriptaddr} ${bpi}/${board}/${service}/
${bootenv};
** Reading file would overwrite reserved memory **
regards Frank
> Gesendet: Montag, 17. Dezember 2018 um 21:08 Uhr
> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt@gmail.com>
> An: "Tom Rini" <trini@konsulko.com>, u-boot@lists.denx.de, "Joe Hershberger" <joe.hershberger@ni.com>
> Cc: "Heinrich Schuchardt" <xypron.glpk@gmx.de>, "Fabio Estevam" <festevam@gmail.com>, "Andrea Barisani" <andrea.barisani@f-secure.com>, "Frank Wunderlich" <frank-w@public-files.de>, "Simon Goldschmidt" <simon.k.r.goldschmidt@gmail.com>, "Simon Glass" <sjg@chromium.org>, "Masahiro Yamada" <yamada.masahiro@socionext.com>, "Tom Warren" <twarren@nvidia.com>, "Bin Meng" <bmeng.cn@gmail.com>, "Vasyl Vavrychuk" <vvavrychuk@gmail.com>, "Albert Aribaud" <albert.u.boot@aribaud.net>, "Hannes Schmelzer" <hannes.schmelzer@br-automation.com>, "Stephen Warren" <swarren@nvidia.com>
> Betreff: [PATCH v8 10/10] arm: bootm: fix sp detection at end of address range
>
> This fixes 'arch_lmb_reserve()' for ARM that tries to detect in which
> DRAM bank 'sp' is in.
>
> This code failed if a bank was at the end of physical address range
> (i.e. size + length overflowed to 0).
>
> To fix this, calculate 'bank_end' as 'size + length - 1' so that such
> banks end at 0xffffffff, not 0.
>
> Fixes: 15751403b6 ("ARM: bootm: don't assume sp is in DRAM bank 0")
> Reported-by: Frank Wunderlich <frank-w@public-files.de>
> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
> ---
>
> Changes in v8:
> - this patch is new in v8
>
> Changes in v7: None
> Changes in v6: None
> Changes in v5: None
> Changes in v4: None
> Changes in v2: None
>
> arch/arm/lib/bootm.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
> index c3c1d2fdfa..e9a333af0e 100644
> --- a/arch/arm/lib/bootm.c
> +++ b/arch/arm/lib/bootm.c
> @@ -64,13 +64,14 @@ void arch_lmb_reserve(struct lmb *lmb)
> /* adjust sp by 4K to be safe */
> sp -= 4096;
> for (bank = 0; bank < CONFIG_NR_DRAM_BANKS; bank++) {
> - if (sp < gd->bd->bi_dram[bank].start)
> + if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start)
> continue;
> + /* Watch out for RAM at end of address space! */
> bank_end = gd->bd->bi_dram[bank].start +
> - gd->bd->bi_dram[bank].size;
> - if (sp >= bank_end)
> + gd->bd->bi_dram[bank].size - 1;
> + if (sp > bank_end)
> continue;
> - lmb_reserve(lmb, sp, bank_end - sp);
> + lmb_reserve(lmb, sp, bank_end - sp + 1);
> break;
> }
> }
> --
> 2.17.1
>
>
Am 18.12.2018 um 16:55 schrieb Frank Wunderlich: > Hi, > > seems that Patch0 does not receive Mailinglist and my answer to it got blocked... > > i get: > > arch/arm/lib/bootm.c: In function ‘arch_lmb_reserve’: > arch/arm/lib/bootm.c:67:8: error: ‘bi_dram’ undeclared (first use in this function); did you mean ‘blk_dread’? > if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start) > ^~~~~~~ > blk_dread > > which i fixed this way: > > diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c > index e9a333af0e..48bb41249e 100644 > --- a/arch/arm/lib/bootm.c > +++ b/arch/arm/lib/bootm.c > @@ -64,7 +64,7 @@ void arch_lmb_reserve(struct lmb *lmb) > /* adjust sp by 4K to be safe */ > sp -= 4096; > for (bank = 0; bank < CONFIG_NR_DRAM_BANKS; bank++) { > - if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start) > + if (!gd->bd->bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start) > continue; > /* Watch out for RAM at end of address space! */ > bank_end = gd->bd->bi_dram[bank].start + > D'Oh! Don't know how that could have slipped through. Seems I was a little hasty in adding this last patch :-( Your fix is of course correct. I'll submit v9 :-/ > after that at least sp_start is protected > > U-Boot> bd > arch_number = 0x00000000 > boot_params = 0x80000100 > DRAM bank = 0x00000000 > -> start = 0x80000000 > -> size = 0x80000000 > current eth = unknown > ip_addr = <NULL> > baudrate = 115200 bps > TLB addr = 0xFFFF0000 > relocaddr = 0xFFF9C000 > reloc off = 0x7E19C000 > irq_sp = 0xFFB9AED0 > sp start = 0xFFB9AEC0 > Early malloc usage: 318 / 4000 > fdt_blob = fffd0be0 > > U-Boot> setenv scriptaddr 0xFFB9AEC0 > U-Boot> fatload ${device} ${partition} ${scriptaddr} ${bpi}/${board}/${service}/${bootenv}; > ** Reading file would overwrite reserved memory ** > > same with relocaddr -x > > U-Boot> setenv scriptaddr 0xFFF9BF00 > U-Boot> fatload ${device} ${partition} ${scriptaddr} ${bpi}/${board}/${service}/ > ${bootenv}; > ** Reading file would overwrite reserved memory ** So, yay, it finally works for you! Thanks for testing! Regards, Simon > > regards Frank > >> Gesendet: Montag, 17. Dezember 2018 um 21:08 Uhr >> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt@gmail.com> >> An: "Tom Rini" <trini@konsulko.com>, u-boot@lists.denx.de, "Joe Hershberger" <joe.hershberger@ni.com> >> Cc: "Heinrich Schuchardt" <xypron.glpk@gmx.de>, "Fabio Estevam" <festevam@gmail.com>, "Andrea Barisani" <andrea.barisani@f-secure.com>, "Frank Wunderlich" <frank-w@public-files.de>, "Simon Goldschmidt" <simon.k.r.goldschmidt@gmail.com>, "Simon Glass" <sjg@chromium.org>, "Masahiro Yamada" <yamada.masahiro@socionext.com>, "Tom Warren" <twarren@nvidia.com>, "Bin Meng" <bmeng.cn@gmail.com>, "Vasyl Vavrychuk" <vvavrychuk@gmail.com>, "Albert Aribaud" <albert.u.boot@aribaud.net>, "Hannes Schmelzer" <hannes.schmelzer@br-automation.com>, "Stephen Warren" <swarren@nvidia.com> >> Betreff: [PATCH v8 10/10] arm: bootm: fix sp detection at end of address range >> >> This fixes 'arch_lmb_reserve()' for ARM that tries to detect in which >> DRAM bank 'sp' is in. >> >> This code failed if a bank was at the end of physical address range >> (i.e. size + length overflowed to 0). >> >> To fix this, calculate 'bank_end' as 'size + length - 1' so that such >> banks end at 0xffffffff, not 0. >> >> Fixes: 15751403b6 ("ARM: bootm: don't assume sp is in DRAM bank 0") >> Reported-by: Frank Wunderlich <frank-w@public-files.de> >> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> >> --- >> >> Changes in v8: >> - this patch is new in v8 >> >> Changes in v7: None >> Changes in v6: None >> Changes in v5: None >> Changes in v4: None >> Changes in v2: None >> >> arch/arm/lib/bootm.c | 9 +++++---- >> 1 file changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c >> index c3c1d2fdfa..e9a333af0e 100644 >> --- a/arch/arm/lib/bootm.c >> +++ b/arch/arm/lib/bootm.c >> @@ -64,13 +64,14 @@ void arch_lmb_reserve(struct lmb *lmb) >> /* adjust sp by 4K to be safe */ >> sp -= 4096; >> for (bank = 0; bank < CONFIG_NR_DRAM_BANKS; bank++) { >> - if (sp < gd->bd->bi_dram[bank].start) >> + if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start) >> continue; >> + /* Watch out for RAM at end of address space! */ >> bank_end = gd->bd->bi_dram[bank].start + >> - gd->bd->bi_dram[bank].size; >> - if (sp >= bank_end) >> + gd->bd->bi_dram[bank].size - 1; >> + if (sp > bank_end) >> continue; >> - lmb_reserve(lmb, sp, bank_end - sp); >> + lmb_reserve(lmb, sp, bank_end - sp + 1); >> break; >> } >> } >> -- >> 2.17.1 >> >>
diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c index c3c1d2fdfa..e9a333af0e 100644 --- a/arch/arm/lib/bootm.c +++ b/arch/arm/lib/bootm.c @@ -64,13 +64,14 @@ void arch_lmb_reserve(struct lmb *lmb) /* adjust sp by 4K to be safe */ sp -= 4096; for (bank = 0; bank < CONFIG_NR_DRAM_BANKS; bank++) { - if (sp < gd->bd->bi_dram[bank].start) + if (!bi_dram[bank].size || sp < gd->bd->bi_dram[bank].start) continue; + /* Watch out for RAM at end of address space! */ bank_end = gd->bd->bi_dram[bank].start + - gd->bd->bi_dram[bank].size; - if (sp >= bank_end) + gd->bd->bi_dram[bank].size - 1; + if (sp > bank_end) continue; - lmb_reserve(lmb, sp, bank_end - sp); + lmb_reserve(lmb, sp, bank_end - sp + 1); break; } }
This fixes 'arch_lmb_reserve()' for ARM that tries to detect in which DRAM bank 'sp' is in. This code failed if a bank was at the end of physical address range (i.e. size + length overflowed to 0). To fix this, calculate 'bank_end' as 'size + length - 1' so that such banks end at 0xffffffff, not 0. Fixes: 15751403b6 ("ARM: bootm: don't assume sp is in DRAM bank 0") Reported-by: Frank Wunderlich <frank-w@public-files.de> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> --- Changes in v8: - this patch is new in v8 Changes in v7: None Changes in v6: None Changes in v5: None Changes in v4: None Changes in v2: None arch/arm/lib/bootm.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)