From: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v10 06/10] fs: prevent overwriting reserved memory
Date: Mon, 14 Jan 2019 22:38:19 +0100 [thread overview]
Message-ID: <20190114213823.32486-7-simon.k.r.goldschmidt@gmail.com> (raw)
In-Reply-To: <20190114213823.32486-1-simon.k.r.goldschmidt@gmail.com>
This fixes CVE-2018-18440 ("insufficient boundary checks in filesystem
image load") by using lmb to check the load size of a file against
reserved memory addresses.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
Changes in v10:
- return -ENOSPC from fs_read when read to reserved memory is rejected
- add reviewed-by
Changes in v9: None
Changes in v8: None
Changes in v7: None
Changes in v6:
- fixed NULL pointer access in 'fdt_blob' passed to
'boot_fdt_add_mem_rsv_regions'
Changes in v5: None
Changes in v4: None
Changes in v2: None
fs/fs.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---
include/lmb.h | 2 ++
lib/lmb.c | 13 ++++++++++++
3 files changed, 68 insertions(+), 3 deletions(-)
diff --git a/fs/fs.c b/fs/fs.c
index cb265174e2..7fd22101ef 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -429,13 +429,57 @@ int fs_size(const char *filename, loff_t *size)
return ret;
}
-int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
- loff_t *actread)
+#ifdef CONFIG_LMB
+/* Check if a file may be read to the given address */
+static int fs_read_lmb_check(const char *filename, ulong addr, loff_t offset,
+ loff_t len, struct fstype_info *info)
+{
+ struct lmb lmb;
+ int ret;
+ loff_t size;
+ loff_t read_len;
+
+ /* get the actual size of the file */
+ ret = info->size(filename, &size);
+ if (ret)
+ return ret;
+ if (offset >= size) {
+ /* offset >= EOF, no bytes will be written */
+ return 0;
+ }
+ read_len = size - offset;
+
+ /* limit to 'len' if it is smaller */
+ if (len && len < read_len)
+ read_len = len;
+
+ lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
+ gd->bd->bi_dram[0].size, (void *)gd->fdt_blob);
+ lmb_dump_all(&lmb);
+
+ if (lmb_alloc_addr(&lmb, addr, read_len) == addr)
+ return 0;
+
+ printf("** Reading file would overwrite reserved memory **\n");
+ return -ENOSPC;
+}
+#endif
+
+static int _fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
+ int do_lmb_check, loff_t *actread)
{
struct fstype_info *info = fs_get_info(fs_type);
void *buf;
int ret;
+#ifdef CONFIG_LMB
+ if (do_lmb_check) {
+ ret = fs_read_lmb_check(filename, addr, offset, len, info);
+ if (ret)
+ return ret;
+ }
+#endif
+
/*
* We don't actually know how many bytes are being read, since len==0
* means read the whole file.
@@ -452,6 +496,12 @@ int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
return ret;
}
+int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
+ loff_t *actread)
+{
+ return _fs_read(filename, addr, offset, len, 0, actread);
+}
+
int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len,
loff_t *actwrite)
{
@@ -622,7 +672,7 @@ int do_load(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[],
pos = 0;
time = get_timer(0);
- ret = fs_read(filename, addr, pos, bytes, &len_read);
+ ret = _fs_read(filename, addr, pos, bytes, 1, &len_read);
time = get_timer(time);
if (ret < 0)
return 1;
diff --git a/include/lmb.h b/include/lmb.h
index 7d7e2a78dc..62da85e716 100644
--- a/include/lmb.h
+++ b/include/lmb.h
@@ -31,6 +31,8 @@ struct lmb {
extern struct lmb lmb;
extern void lmb_init(struct lmb *lmb);
+extern void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base,
+ phys_size_t size, void *fdt_blob);
extern long lmb_add(struct lmb *lmb, phys_addr_t base, phys_size_t size);
extern long lmb_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size);
extern phys_addr_t lmb_alloc(struct lmb *lmb, phys_size_t size, ulong align);
diff --git a/lib/lmb.c b/lib/lmb.c
index e380a0a722..3407705fa7 100644
--- a/lib/lmb.c
+++ b/lib/lmb.c
@@ -98,6 +98,19 @@ void lmb_init(struct lmb *lmb)
lmb->reserved.size = 0;
}
+/* Initialize the struct, add memory and call arch/board reserve functions */
+void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size,
+ void *fdt_blob)
+{
+ lmb_init(lmb);
+ lmb_add(lmb, base, size);
+ arch_lmb_reserve(lmb);
+ board_lmb_reserve(lmb);
+
+ if (IMAGE_ENABLE_OF_LIBFDT && fdt_blob)
+ boot_fdt_add_mem_rsv_regions(lmb, fdt_blob);
+}
+
/* This routine called with relocation disabled. */
static long lmb_add_region(struct lmb_region *rgn, phys_addr_t base, phys_size_t size)
{
--
2.17.1
next prev parent reply other threads:[~2019-01-14 21:38 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 21:38 [U-Boot] [PATCH v10 00/10] Fix CVE-2018-18440 and CVE-2018-18439 Simon Goldschmidt
2019-01-14 21:38 ` [U-Boot] [PATCH v10 01/10] test: add test for lib/lmb.c Simon Goldschmidt
2019-01-17 22:44 ` [U-Boot] [U-Boot,v10,01/10] " Tom Rini
2019-01-14 21:38 ` [U-Boot] [PATCH v10 02/10] lmb: fix allocation at end of address range Simon Goldschmidt
2019-01-16 21:34 ` Simon Glass
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-14 21:38 ` [U-Boot] [PATCH v10 03/10] lib: lmb: reserving overlapping regions should fail Simon Goldschmidt
2019-01-16 21:34 ` Simon Glass
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-14 21:38 ` [U-Boot] [PATCH v10 04/10] fdt: parse "reserved-memory" for memory reservation Simon Goldschmidt
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-03-05 23:26 ` Eugeniu Rosca
2019-03-05 23:36 ` Marek Vasut
2019-01-14 21:38 ` [U-Boot] [PATCH v10 05/10] lib: lmb: extend lmb for checks at load time Simon Goldschmidt
2019-01-16 21:34 ` Simon Glass
2019-01-16 21:44 ` Simon Goldschmidt
2019-01-16 21:49 ` Tom Rini
2019-01-16 21:51 ` Simon Glass
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-14 21:38 ` Simon Goldschmidt [this message]
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, 06/10] fs: prevent overwriting reserved memory Tom Rini
2019-01-14 21:38 ` [U-Boot] [PATCH v10 07/10] bootm: use new common function lmb_init_and_reserve Simon Goldschmidt
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-14 21:38 ` [U-Boot] [PATCH v10 08/10] lmb: remove unused extern declaration Simon Goldschmidt
2019-01-16 21:34 ` Simon Glass
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-14 21:38 ` [U-Boot] [PATCH v10 09/10] tftp: prevent overwriting reserved memory Simon Goldschmidt
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-26 3:20 ` Heinrich Schuchardt
2019-01-26 8:46 ` Simon Goldschmidt
2019-01-26 9:56 ` Heinrich Schuchardt
2019-01-26 13:25 ` Heinrich Schuchardt
2019-01-26 21:20 ` Simon Goldschmidt
2019-01-26 13:17 ` Tom Rini
2019-01-26 21:15 ` Simon Goldschmidt
2019-01-14 21:38 ` [U-Boot] [PATCH v10 10/10] arm: bootm: fix sp detection at end of address range Simon Goldschmidt
2019-01-17 22:44 ` [U-Boot] [U-Boot, v10, " Tom Rini
2019-01-14 22:54 ` [U-Boot] [PATCH v10 00/10] Fix CVE-2018-18440 and CVE-2018-18439 Tom Rini
2019-01-15 5:08 ` Simon Goldschmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190114213823.32486-7-simon.k.r.goldschmidt@gmail.com \
--to=simon.k.r.goldschmidt@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox