[U-Boot,v3,8/8] tftp: prevent overwriting reserved memory

Message ID	20181117122504.16498-9-simon.k.r.goldschmidt@gmail.com
State	Superseded
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> To: Tom Rini <trini@konsulko.com>, u-boot@lists.denx.de, Joe Hershberger <joe.hershberger@ni.com> Date: Sat, 17 Nov 2018 13:25:04 +0100 Message-Id: <20181117122504.16498-9-simon.k.r.goldschmidt@gmail.com> In-Reply-To: <20181117122504.16498-1-simon.k.r.goldschmidt@gmail.com> References: <20181117122504.16498-1-simon.k.r.goldschmidt@gmail.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>, Andrea Barisani <andrea.barisani@f-secure.com> Subject: [U-Boot] [PATCH v3 8/8] tftp: prevent overwriting reserved memory Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Fix CVE-2018-18440 and CVE-2018-18439 \| expand [U-Boot,v3,0/8] Fix CVE-2018-18440 and CVE-2018-18439 [U-Boot,v3,1/8] lib: lmb: reserving overlapping regions should fail [U-Boot,v3,2/8] fdt: parse "reserved-memory" for memory reservation [U-Boot,v3,3/8] lib: lmb: extend lmb for checks at load time [U-Boot,v3,4/8] fs: prevent overwriting reserved memory [U-Boot,v3,5/8] bootm: use new common function lmb_init_and_reserve [U-Boot,v3,6/8] lmb: remove unused extern declaration [U-Boot,v3,7/8] net: remove CONFIG_MCAST_TFTP [U-Boot,v3,8/8] tftp: prevent overwriting reserved memory

Message ID

20181117122504.16498-9-simon.k.r.goldschmidt@gmail.com

State

Superseded

Delegated to:

Tom Rini

Headers

From: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
To: Tom Rini <trini@konsulko.com>, u-boot@lists.denx.de,
	Joe Hershberger <joe.hershberger@ni.com>
Date: Sat, 17 Nov 2018 13:25:04 +0100
Message-Id: <20181117122504.16498-9-simon.k.r.goldschmidt@gmail.com>
In-Reply-To: <20181117122504.16498-1-simon.k.r.goldschmidt@gmail.com>
References: <20181117122504.16498-1-simon.k.r.goldschmidt@gmail.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Andrea Barisani <andrea.barisani@f-secure.com>
Subject: [U-Boot] [PATCH v3 8/8] tftp: prevent overwriting reserved memory
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

Fix CVE-2018-18440 and CVE-2018-18439 | expand

Commit Message

Simon Goldschmidt Nov. 17, 2018, 12:25 p.m. UTC

This fixes CVE-2018-18439 ("insufficient boundary checks in network
image boot") by using lmb to check for a valid range to store
received blocks.

Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
---

Changes in v2:
- this patch is new in v2

 net/tftp.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 57 insertions(+), 9 deletions(-)

diff --git a/net/tftp.c b/net/tftp.c
index 563ce3a06f..390394199d 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -17,6 +17,8 @@ 
 #include <flash.h>
 #endif
 
+DECLARE_GLOBAL_DATA_PTR;
+
 /* Well known TFTP port # */
 #define WELL_KNOWN_PORT	69
 /* Millisecs to timeout for lost pkt */
@@ -81,6 +83,8 @@  static ulong	tftp_block_wrap;
 /* memory offset due to wrapping */
 static ulong	tftp_block_wrap_offset;
 static int	tftp_state;
+static ulong	tftp_load_addr;
+static ulong	tftp_load_size;
 #ifdef CONFIG_TFTP_TSIZE
 /* The file size reported by the server */
 static int	tftp_tsize;
@@ -134,10 +138,11 @@  static char tftp_filename[MAX_LEN];
 static unsigned short tftp_block_size = TFTP_BLOCK_SIZE;
 static unsigned short tftp_block_size_option = TFTP_MTU_BLOCKSIZE;
 
-static inline void store_block(int block, uchar *src, unsigned len)
+static inline int store_block(int block, uchar *src, unsigned int len)
 {
 	ulong offset = block * tftp_block_size + tftp_block_wrap_offset;
 	ulong newsize = offset + len;
+	ulong store_addr = tftp_load_addr + offset;
 #ifdef CONFIG_SYS_DIRECT_FLASH_TFTP
 	int i, rc = 0;
 
@@ -145,30 +150,38 @@  static inline void store_block(int block, uchar *src, unsigned len)
 		/* start address in flash? */
 		if (flash_info[i].flash_id == FLASH_UNKNOWN)
 			continue;
-		if (load_addr + offset >= flash_info[i].start[0]) {
+		if (store_addr >= flash_info[i].start[0]) {
 			rc = 1;
 			break;
 		}
 	}
 
 	if (rc) { /* Flash is destination for this packet */
-		rc = flash_write((char *)src, (ulong)(load_addr+offset), len);
+		rc = flash_write((char *)src, store_addr, len);
 		if (rc) {
 			flash_perror(rc);
-			net_set_state(NETLOOP_FAIL);
-			return;
+			return rc;
 		}
 	} else
 #endif /* CONFIG_SYS_DIRECT_FLASH_TFTP */
 	{
-		void *ptr = map_sysmem(load_addr + offset, len);
+		void *ptr;
 
+		if (store_addr < tftp_load_addr ||
+		    store_addr + len > tftp_load_addr + tftp_load_size) {
+			puts("\nTFTP error: ");
+			puts("trying to overwrite reserved memory...\n");
+			return -1;
+		}
+		ptr = map_sysmem(store_addr, len);
 		memcpy(ptr, src, len);
 		unmap_sysmem(ptr);
 	}
 
 	if (net_boot_file_size < newsize)
 		net_boot_file_size = newsize;
+
+	return 0;
 }
 
 /* Clear our state ready for a new transfer */
@@ -527,7 +540,11 @@  static void tftp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
 		timeout_count_max = tftp_timeout_count_max;
 		net_set_timeout_handler(timeout_ms, tftp_timeout_handler);
 
-		store_block(tftp_cur_block - 1, pkt + 2, len);
+		if (store_block(tftp_cur_block - 1, pkt + 2, len)) {
+			eth_halt();
+			net_set_state(NETLOOP_FAIL);
+			break;
+		}
 
 		/*
 		 *	Acknowledge the block just received, which will prompt
@@ -577,6 +594,24 @@  static void tftp_timeout_handler(void)
 	}
 }
 
+/* Initialize tftp_load_addr and tftp_load_size from load_addr and lmb */
+static int tftp_init_load_addr(void)
+{
+	struct lmb lmb;
+	phys_size_t max_size;
+
+	tftp_load_addr = load_addr;
+
+	lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
+			     gd->bd->bi_dram[0].size, (void *)gd->fdt_blob);
+
+	max_size = lmb_get_unreserved_size(&lmb, tftp_load_addr);
+	if (!max_size)
+		return -1;
+
+	tftp_load_size = max_size;
+	return 0;
+}
 
 void tftp_start(enum proto_t protocol)
 {
@@ -673,7 +708,14 @@  void tftp_start(enum proto_t protocol)
 	} else
 #endif
 	{
-		printf("Load address: 0x%lx\n", load_addr);
+		if (tftp_init_load_addr()) {
+			eth_halt();
+			net_set_state(NETLOOP_FAIL);
+			puts("\nTFTP error: ");
+			puts("trying to overwrite reserved memory...\n");
+			return;
+		}
+		printf("Load address: 0x%lx\n", tftp_load_addr);
 		puts("Loading: *\b");
 		tftp_state = STATE_SEND_RRQ;
 #ifdef CONFIG_CMD_BOOTEFI
@@ -721,9 +763,15 @@  void tftp_start_server(void)
 {
 	tftp_filename[0] = 0;
 
+	if (tftp_init_load_addr()) {
+		eth_halt();
+		net_set_state(NETLOOP_FAIL);
+		puts("\nTFTP error: trying to overwrite reserved memory...\n");
+		return;
+	}
 	printf("Using %s device\n", eth_get_name());
 	printf("Listening for TFTP transfer on %pI4\n", &net_ip);
-	printf("Load address: 0x%lx\n", load_addr);
+	printf("Load address: 0x%lx\n", tftp_load_addr);
 
 	puts("Loading: *\b");

[U-Boot,v3,8/8] tftp: prevent overwriting reserved memory

Commit Message

Patch