diff options
| author | Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> | 2019-01-14 22:38:19 +0100 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2019-01-16 16:37:05 -0500 |
| commit | aa3c609e2be5a837e7b81e308d47f55b67666bd6 (patch) | |
| tree | 4e1e3090b5ec43ed88cc2790c080b2a790679d78 /lib/lmb.c | |
| parent | 4cc8af8037ebabd674d0a6bed202b0c711dc7699 (diff) | |
| download | u-boot-aa3c609e2be5a837e7b81e308d47f55b67666bd6.tar.gz u-boot-aa3c609e2be5a837e7b81e308d47f55b67666bd6.tar.bz2 u-boot-aa3c609e2be5a837e7b81e308d47f55b67666bd6.zip | |
fs: prevent overwriting reserved memory
This fixes CVE-2018-18440 ("insufficient boundary checks in filesystem
image load") by using lmb to check the load size of a file against
reserved memory addresses.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'lib/lmb.c')
| -rw-r--r-- | lib/lmb.c | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -98,6 +98,19 @@ void lmb_init(struct lmb *lmb) lmb->reserved.size = 0; } +/* Initialize the struct, add memory and call arch/board reserve functions */ +void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size, + void *fdt_blob) +{ + lmb_init(lmb); + lmb_add(lmb, base, size); + arch_lmb_reserve(lmb); + board_lmb_reserve(lmb); + + if (IMAGE_ENABLE_OF_LIBFDT && fdt_blob) + boot_fdt_add_mem_rsv_regions(lmb, fdt_blob); +} + /* This routine called with relocation disabled. */ static long lmb_add_region(struct lmb_region *rgn, phys_addr_t base, phys_size_t size) { |