From: Andrea Barisani <andrea.barisani@f-secure.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities
Date: Fri, 9 Nov 2018 10:46:15 +0100 [thread overview]
Message-ID: <20181109094615.GC9586@lambda.inversepath.com> (raw)
In-Reply-To: <CAAh8qsz2Byvv=F4_Ate0e6q-mJH0G3ci6Yu1DEELMYeBeA6oRg@mail.gmail.com>
On Fri, Nov 09, 2018 at 07:11:36AM +0100, Simon Goldschmidt wrote:
> On Fri, Nov 9, 2018 at 1:37 AM Fabio Estevam <festevam@gmail.com> wrote:
> >
> > Hi Andrea,
> >
> > On Tue, Nov 6, 2018 at 12:57 PM Andrea Barisani
> > <andrea.barisani@f-secure.com> wrote:
> >
> > > # load large file
> > > => ext2load mmc 0 0x60000000 fitimage.itb
> >
> > Does this change work for you?
> > http://dark-code.bulix.org/u6gw3b-499924
>
> My understanding was U-Boot text or stack could get overwritten which
> leads to the loaded bytes being executed as code.
> So you would have to check that the loaded range is within ram but not
> within that reserved range of code or stack (or heap).
>
Exactly, merely checking RAM size is not sufficient. The specific memory
layout would need to be accounted for which means understanding where the
stack and heap are located, their direction of growth and to ensure that the
loaded payload can never overwrite them along with all other U-Boot data
segments.
This is not easy given that the stack and heap size I think can only be
guessed and not precisely limited, additionally board configurations have the
ability to set arbitrary stack, relocation and load addresses which
complicates things even further in understanding exactly how the memory
layout is set.
> Getting this reserved range is what 'boot_start_lmb' does (in
> bootm.c). Maybe this code can be refactored and reused in fs.c to get
> a valid range for loading?
>
> Additionally, your patch checks the loaded file's size without taking
> the load address into account. So unless I read that wrong, your check
> is only valid for 'addr == 0'.
> Plus, the 'bytes' parameter should probably be a restriction to the
> file's size when checking for a valid load range.
>
> Simon
--
Andrea Barisani Head of Hardware Security | F-Secure
Founder | Inverse Path
https://www.f-secure.com https://inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
next prev parent reply other threads:[~2018-11-09 9:46 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 14:51 [U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities Andrea Barisani
2018-11-09 0:37 ` Fabio Estevam
2018-11-09 6:11 ` Simon Goldschmidt
2018-11-09 9:46 ` Andrea Barisani [this message]
2018-11-09 10:24 ` Simon Goldschmidt
2018-11-09 21:25 ` Simon Goldschmidt
2018-11-09 22:14 ` Fabio Estevam
2018-11-11 14:22 ` Wolfgang Denk
2018-11-11 23:21 ` Heinrich Schuchardt
2018-11-12 6:56 ` Simon Goldschmidt
2018-11-12 18:03 ` Heinrich Schuchardt
2018-11-12 18:58 ` Simon Goldschmidt
2018-11-12 8:00 ` Wolfgang Denk
2018-11-13 20:57 ` Simon Goldschmidt
2018-11-14 11:52 ` Andrea Barisani
2018-11-14 12:03 ` Simon Goldschmidt
2018-11-14 14:45 ` Andrea Barisani
2018-11-14 15:13 ` Simon Goldschmidt
2018-11-14 15:26 ` Andrea Barisani
2018-11-14 15:35 ` Daniele Bianco
2018-11-14 15:51 ` Simon Goldschmidt
2018-11-14 19:07 ` Simon Goldschmidt
2018-11-14 23:36 ` Joe Hershberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181109094615.GC9586@lambda.inversepath.com \
--to=andrea.barisani@f-secure.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox