| Message ID | 20181112212532.13126-1-simon.k.r.goldschmidt@gmail.com |
|---|---|
| Headers | show
Return-Path: <u-boot-bounces@lists.denx.de> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Cs+tbUjj"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 42v3hh0hLnz9rxp for <incoming@patchwork.ozlabs.org>; Tue, 13 Nov 2018 08:25:51 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 2C672C223FA; Mon, 12 Nov 2018 21:25:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 5243DC21FB1; Mon, 12 Nov 2018 21:25:41 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 2C047C21FB1; Mon, 12 Nov 2018 21:25:40 +0000 (UTC) Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) by lists.denx.de (Postfix) with ESMTPS id CD86AC21E9F for <u-boot@lists.denx.de>; Mon, 12 Nov 2018 21:25:39 +0000 (UTC) Received: by mail-wm1-f66.google.com with SMTP id f1-v6so9728036wmg.1 for <u-boot@lists.denx.de>; Mon, 12 Nov 2018 13:25:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=m3BnTC363XP/nc87USPlihBvW2aO0L4EReuNHhYkxus=; b=Cs+tbUjjguisuiu8x+Sr/UoDOZv2Ictlvyd7t35UVlVfExNmuKegLzaa3y3BHALR+S chrbFvN0ZNhjv0wKkBDhIhLwVmaD/lpVsJ5rAoDytvWKwYKfQ2S+D9i0YNPDIxassIUQ j8yAaJJPLJl5zwCslLoMpOkaO7vfhp52zFDwsAFG8JEEzoojYzTwl3STc8raZhWdt5LL 2fdPiL/N3PA2FIqI7Tba0PCQzRhIJVut49Iug2Uf9gDCPiuHafFUowkcIWhOTU9nJvt1 FGC4udXcCcvkXmNmuf+GQePRl1VfYj5S3/5DHT+LGTeHb9wzMOBOqkoJfac5tgOM0Q/S IwPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=m3BnTC363XP/nc87USPlihBvW2aO0L4EReuNHhYkxus=; b=UcPg0UlXLb5vf8p3hiEP3XQkf/0BdCokfOC105NwYxNlqMuYcCGjfTfXbGjzq5Buw0 x81QuaIdN1NDy81n7nFApT5jkxaSgtZItw+rp/YhU2sgkEzwNA/czdkYTKDgfJC/7kkk N7/GKy5s00plhQhGdvhVne1GgLV6egrFb/winCL5L38hyV5UGw+/F6TV3FjGwOym6vN2 uVnTILH7a2cMvugjNHS1fHdOKSDLs8rMOov0P2ESYOWlkqQyfBZjFPhRTWBEBJ4jpnoL qZ5VV8LaclFiW4WlNz9P9UQDzGn7TCb8cqqBKKW1sWCOz+5aKXeMROR4pkGQgg2BcvlH 27Mg== X-Gm-Message-State: AGRZ1gLkUWXA15oAfyBZwXxWD8wFQnPauiIDJuKyiYGi5tMkjmM6ANcf 51LCfbOvJfHgngaLEeG33dE= X-Google-Smtp-Source: AJdET5eKRUn2tuTxIGrLwjtu+aLVGYbPo/xDsQzeE0kcIGdtDP0IhFJcAQt9TbGA5I+yQ6D2/gM3YQ== X-Received: by 2002:a1c:cf0d:: with SMTP id f13mr1062128wmg.70.1542057939274; Mon, 12 Nov 2018 13:25:39 -0800 (PST) Received: from ubuntu.home ([2a02:8071:6a3:700:456c:50ae:6b7:768d]) by smtp.gmail.com with ESMTPSA id x14sm742690wrm.65.2018.11.12.13.25.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Nov 2018 13:25:38 -0800 (PST) From: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> To: Tom Rini <trini@konsulko.com>, u-boot@lists.denx.de Date: Mon, 12 Nov 2018 22:25:28 +0100 Message-Id: <20181112212532.13126-1-simon.k.r.goldschmidt@gmail.com> X-Mailer: git-send-email 2.17.1 Cc: Joe Hershberger <joe.hershberger@ni.com>, Heinrich Schuchardt <xypron.glpk@gmx.de>, Michal Simek <michal.simek@xilinx.com>, Alexander Graf <agraf@suse.de>, Andrea Barisani <andrea.barisani@f-secure.com> Subject: [U-Boot] [PATCH 0/4] Fix CVE-2018-18440 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion <u-boot.lists.denx.de> List-Unsubscribe: <https://lists.denx.de/options/u-boot>, <mailto:u-boot-request@lists.denx.de?subject=unsubscribe> List-Archive: <http://lists.denx.de/pipermail/u-boot/> List-Post: <mailto:u-boot@lists.denx.de> List-Help: <mailto:u-boot-request@lists.denx.de?subject=help> List-Subscribe: <https://lists.denx.de/listinfo/u-boot>, <mailto:u-boot-request@lists.denx.de?subject=subscribe> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de> |
| Series | Fix CVE-2018-18440 | expand |
This series fixes CVE-2018-18440 ("insufficient boundary checks in filesystem image load") by adding restrictions to the 'load' command. The functions from lmb.c are used to setup regions of allowed and reserved memory. Then, the file size to load is checked against these addresses and loading the file is aborted if it would overwrite reserved memory. The memory reservation code is reused from bootm/image. Note that this doesn't yet fix CVE-2018-18439 ("insufficient boundary checks in network image boot"), which is somewhat similar. Note that patman warnings are in old code only or due to adopting the file's coding style. Simon Goldschmidt (4): lib: lmb: reserving overlapping regions should fail lib: lmb: add function lmb_alloc_addr fs: prevent overwriting reserved memory bootm: use new common function lmb_init_and_reserve common/bootm.c | 8 ++------ fs/fs.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++--- include/lmb.h | 3 +++ lib/lmb.c | 42 +++++++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 9 deletions(-)