dany/u-boot-megous
1
0
Fork 0
mirror of https://xff.cz/git/u-boot/ synced 2025-09-01 16:52:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

fs: prevent overwriting reserved memory

Browse Source 
This fixes CVE-2018-18440 ("insufficient boundary checks in filesystem
image load") by using lmb to check the load size of a file against
reserved memory addresses.

Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Simon Goldschmidt
2019-01-14 22:38:19 +01:00
committed by Tom Rini
parent 4cc8af8037
commit aa3c609e2b
3 changed files with 68 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
fs/fs.c
View File

@@ -429,13 +429,57 @@ int fs_size(const char *filename, loff_t *size)
return ret;
}
int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
loff_t *actread)
#ifdef CONFIG_LMB
/* Check if a file may be read to the given address */
static int fs_read_lmb_check(const char *filename, ulong addr, loff_t offset,
loff_t len, struct fstype_info *info)
{
struct lmb lmb;
int ret;
loff_t size;
loff_t read_len;
/* get the actual size of the file */
ret = info->size(filename, &size);
if (ret)
return ret;
if (offset >= size) {
/* offset >= EOF, no bytes will be written */
return 0;
}
read_len = size - offset;
/* limit to 'len' if it is smaller */
if (len && len < read_len)
read_len = len;
lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
gd->bd->bi_dram[0].size, (void *)gd->fdt_blob);
lmb_dump_all(&lmb);
if (lmb_alloc_addr(&lmb, addr, read_len) == addr)
return 0;
printf("** Reading file would overwrite reserved memory **\n");
return -ENOSPC;
}
#endif
static int _fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
int do_lmb_check, loff_t *actread)
{
struct fstype_info *info = fs_get_info(fs_type);
void *buf;
int ret;
#ifdef CONFIG_LMB
if (do_lmb_check) {
ret = fs_read_lmb_check(filename, addr, offset, len, info);
if (ret)
return ret;
}
#endif
/*
* We don't actually know how many bytes are being read, since len==0
* means read the whole file.
@@ -452,6 +496,12 @@ int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
return ret;
}
int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
loff_t *actread)
{
return _fs_read(filename, addr, offset, len, 0, actread);
}
int fs_write(const char *filename, ulong addr, loff_t offset, loff_t len,
loff_t *actwrite)
{
@@ -622,7 +672,7 @@ int do_load(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[],
pos = 0;
time = get_timer(0);
ret = fs_read(filename, addr, pos, bytes, &len_read);
ret = _fs_read(filename, addr, pos, bytes, 1, &len_read);
time = get_timer(time);
if (ret < 0)
return 1;