On Sat, Jan 26, 2019 at 09:46:35AM +0100, Simon Goldschmidt wrote:
Am 26.01.2019 um 04:20 schrieb Heinrich Schuchardt:
TheOn 1/14/19 10:38 PM, Simon Goldschmidt wrote:
This fixes CVE-2018-18439 ("insufficient boundary checks in network image boot") by using lmb to check for a valid range to store received blocks.
Signed-off-by: Simon Goldschmidt simon.k.r.goldschmidt@gmail.com Acked-by: Joe Hershberger joe.hershberger@ni.com
Hello Simon,
due to this patch merged as a156c47e39ad7d00 on vexpress_ca15_tc2_defconfig the command 'dhcp filename' always fails. It was working in v2019.01
Same is true for other platforms, e.g. vexpress_ca9x4_defconfig.
OK, that's probably not expected ;-)
I'd appreciate it if you could continue to track this down to get it fixed.
I put in an extra printf() and got: TFTP error: trying to overwrite reserved memory... storeaddr 0, tftp_load_addr 0, tftp_load_size 0
I don't know the first. The latter 2 are not initialized yet in this error path and so are expected to be zero here.
Could you run that test again if I sent you a patch enabling required output for me to debug this?
It is not even possible to disable the checks by undefining CONFIG_LMB because a compile error arises without CONFIG_LMB:
cmd/bootz.c:48:21: error: ‘bootm_headers_t’ {aka ‘struct bootm_headers’} has no member named ‘lmb’
I think the code should compile if CONFIG_LMB is undefined.
You're right, it should compile without CONFIG_LMB. It did initially, so I guess that got lost somewhere during all the versions until v10, sorry. I'll work on that.
That might be on me. There were a few cases in the networking code where the patch broke building the existing world.