From: Wolfgang Denk <wd@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities
Date: Sun, 11 Nov 2018 15:22:25 +0100 [thread overview]
Message-ID: <20181111142225.B10F5242DCA@gemini.denx.de> (raw)
In-Reply-To: <20181109094615.GC9586@lambda.inversepath.com>
Dear Andrea,
In message <20181109094615.GC9586@lambda.inversepath.com> you wrote:
>
> Exactly, merely checking RAM size is not sufficient. The specific memory
> layout would need to be accounted for which means understanding where the
> stack and heap are located, their direction of growth and to ensure that the
> loaded payload can never overwrite them along with all other U-Boot data
> segments.
This is pretty easy. On all architectures I'm aware of the stack
has the lowest location in memory, and is growing downward.
> This is not easy given that the stack and heap size I think can only be
> guessed and not precisely limited, additionally board configurations have the
> ability to set arbitrary stack, relocation and load addresses which
> complicates things even further in understanding exactly how the memory
> layout is set.
I think this is not that complicated. At least in standard U-Boot
(not speaking for SPL) it should be sufficient to check the current
stack pointer (which is easy to read) and take this a upper limit of
available/allowed memory. If we add some reasonable safety margin
(say, 1 MB or so) we should be really safe.
> > Additionally, your patch checks the loaded file's size without taking
> > the load address into account. So unless I read that wrong, your check
> > is only valid for 'addr == 0'.
The approach is also not appliccable to networ boot; with TFTP we
don't know the image size in advance.
Eventyally the boundary checking should be done where the image
content actually gets copied to memory.
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I think it's a new feature. Don't tell anyone it was an accident. :-)
-- Larry Wall on s/foo/bar/eieio in <10911@jpl-devvax.JPL.NASA.GOV>
next prev parent reply other threads:[~2018-11-11 14:22 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 14:51 [U-Boot] CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities Andrea Barisani
2018-11-09 0:37 ` Fabio Estevam
2018-11-09 6:11 ` Simon Goldschmidt
2018-11-09 9:46 ` Andrea Barisani
2018-11-09 10:24 ` Simon Goldschmidt
2018-11-09 21:25 ` Simon Goldschmidt
2018-11-09 22:14 ` Fabio Estevam
2018-11-11 14:22 ` Wolfgang Denk [this message]
2018-11-11 23:21 ` Heinrich Schuchardt
2018-11-12 6:56 ` Simon Goldschmidt
2018-11-12 18:03 ` Heinrich Schuchardt
2018-11-12 18:58 ` Simon Goldschmidt
2018-11-12 8:00 ` Wolfgang Denk
2018-11-13 20:57 ` Simon Goldschmidt
2018-11-14 11:52 ` Andrea Barisani
2018-11-14 12:03 ` Simon Goldschmidt
2018-11-14 14:45 ` Andrea Barisani
2018-11-14 15:13 ` Simon Goldschmidt
2018-11-14 15:26 ` Andrea Barisani
2018-11-14 15:35 ` Daniele Bianco
2018-11-14 15:51 ` Simon Goldschmidt
2018-11-14 19:07 ` Simon Goldschmidt
2018-11-14 23:36 ` Joe Hershberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181111142225.B10F5242DCA@gemini.denx.de \
--to=wd@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox