From patchwork Wed Dec 19 18:59:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Goldschmidt X-Patchwork-Id: 1016765 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="mN2bsNuD"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 43LBfl0F9Pz9s7W for ; Thu, 20 Dec 2018 23:59:26 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id ACE2AC21F5B; Thu, 20 Dec 2018 12:58:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_MSPIKE_H2, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 87762C21F04; Thu, 20 Dec 2018 12:57:28 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id AFE57C21DCA; Wed, 19 Dec 2018 19:00:16 +0000 (UTC) Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) by lists.denx.de (Postfix) with ESMTPS id 4814BC21DC1 for ; Wed, 19 Dec 2018 19:00:16 +0000 (UTC) Received: by mail-wm1-f68.google.com with SMTP id m22so7590691wml.3 for ; Wed, 19 Dec 2018 11:00:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=6FMD+RxA5TkylOP3UnnbQ/QjXnFTKH+OAcZ0EspmZPU=; b=mN2bsNuDQLI/X/BNJbG26ORC18KK8MmHOqsicIIU3sevct33LfajERUI9gmJmWE0Pj Ansg6w+s25XK3MiL9kZ19XZ5Agyt3L2x6/OTVNrPo1LYZbYRM2/N3CUDOHKwiHjxctZn VbD4bipSyofVdJL/Fe4tx1MvKvhbJj+qqyYMwoXqMzedhwWk0FpGJ2L6xNsdM1DyD8On gCj2tEFHuPgT+0Y/7creq22bOD77G59gX5C9N3+vnlOmSzcxc7U8Iw6g4vk3nS6fgz5o F8uKSIwJDeTB6tR53Y8NLCIbT413WXiUsmOgoNvXm9gXkn/YJiJ5ueVKUbYBSvSfR05y aHkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=6FMD+RxA5TkylOP3UnnbQ/QjXnFTKH+OAcZ0EspmZPU=; b=EoHYTXIenKL7pvOIm5SLdMJ4XQjcbEofUzhVUgiNbh0e1wB9q1RqaN9fuDyPkqnxmg LM0avY7gG/wM/BSAZ2KCzLAOnxkysikDwKkm/vwA2oqvvUQv1SM2Ao7mAETwfXmtq78G CR2nQdm1foA5fwZQ9R1eEgtAVdW4Nmjk/j0UJ/2tJmRs4beqc8ydmQ2tETU/UZny/KW6 hYVsHNjrUN2mwKA+anI9ljx03JNyCVPTqbAUSGqUKjlDxq7A/fbBf4jzHPJn5TyJKWDh 1WyuCFFKfobUJukqJ5BWhA+pkTBxZ5HcaAbJjs08q59fi37D8wMH+JWQH1oJypT9D67F BvAg== X-Gm-Message-State: AA+aEWbZmg5lm7w/5wT0G3O9zL5mJtMDiQJ/cKXD+tIwBtdDOWXErT1t 2nBI+gZywxMo6bdSU3Qj4Jo= X-Google-Smtp-Source: AFSGD/Xsqiiinlg9PP3X1lL0g2zrnJxNwETOxuBjlZt8dmFDtsfRWJytnRc3afdLvU0nVLJJo1FXZw== X-Received: by 2002:a1c:cbcb:: with SMTP id b194mr7550075wmg.64.1545246015729; Wed, 19 Dec 2018 11:00:15 -0800 (PST) Received: from ubuntu.home ([2a02:8071:6a3:700:80b1:ba3d:111a:23c5]) by smtp.gmail.com with ESMTPSA id q3sm10334744wrn.84.2018.12.19.11.00.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Dec 2018 11:00:14 -0800 (PST) From: Simon Goldschmidt To: Tom Rini , u-boot@lists.denx.de, Joe Hershberger Date: Wed, 19 Dec 2018 19:59:59 +0100 Message-Id: <20181219190009.23265-1-simon.k.r.goldschmidt@gmail.com> X-Mailer: git-send-email 2.17.1 X-Mailman-Approved-At: Thu, 20 Dec 2018 12:57:25 +0000 Cc: Stephen Warren , Heinrich Schuchardt , Alexey Brodkin , Alexander Graf , Miquel Raynal , Andrea Barisani Subject: [U-Boot] [PATCH v9 00/10] Fix CVE-2018-18440 and CVE-2018-18439 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" This series fixes CVE-2018-18440 ("insufficient boundary checks in filesystem image load") by adding restrictions to the 'load' command and fixes CVE-2018-18439 ("insufficient boundary checks in network image boot") by adding restrictions to the tftp code. The functions from lmb.c are used to setup regions of allowed and reserved memory. Then, the file size to load is checked against these addresses and loading the file is aborted if it would overwrite reserved memory. The memory reservation code is reused from bootm/image. Changes in v9: - fixed compile error in patch 10/10 (in arch/arm/lib/bootm.c) Changes in v8: - fix address overflow in 'arch_lmb_reserve' for ARM Changes in v7: - add braces around if/else with macros accross more than one line - fix compiling without CONFIG_FIT - fix compiling without CONFIG_LMB Changes in v6: - fix size of allocated regions that need alignment padding - fix compiling without OF_CONTROL - fixed NULL pointer access in 'fdt_blob' passed to 'boot_fdt_add_mem_rsv_regions' Changes in v5: - added tests for lib/lmb.c - fixed bug in lmb.c when ram is at the end of 32-bit address range - fixed a bug in lmb_alloc_addr when resulting reserved ranges get combined Changes in v4: - fixed invalid 'if' statement without braces in boot_fdt_reserve_region - removed patch 7 ("net: remove CONFIG_MCAST_TFTP), adapted patch 8 Changes in v3: - No patch changes, but needed to resend since patman added too many cc addresses that gmail seemed to detect as spam :-( Changes in v2: - added code to reserve devicetree reserved-memory in lmb - added tftp fixes (patches 7 and 8) - fixed a bug in new function lmb_alloc_addr Simon Goldschmidt (10): test: add test for lib/lmb.c lmb: fix allocation at end of address range lib: lmb: reserving overlapping regions should fail fdt: parse "reserved-memory" for memory reservation lib: lmb: extend lmb for checks at load time fs: prevent overwriting reserved memory bootm: use new common function lmb_init_and_reserve lmb: remove unused extern declaration tftp: prevent overwriting reserved memory arm: bootm: fix sp detection at end of address range arch/arm/lib/bootm.c | 10 +- common/bootm.c | 8 +- common/image-fdt.c | 53 +++- fs/fs.c | 56 +++- include/lmb.h | 7 +- lib/Makefile | 1 + lib/lmb.c | 106 ++++++-- net/tftp.c | 73 +++++- test/lib/Makefile | 1 + test/lib/lmb.c | 601 +++++++++++++++++++++++++++++++++++++++++++ 10 files changed, 859 insertions(+), 57 deletions(-) create mode 100644 test/lib/lmb.c