On Mon, Oct 17, 2022 at 09:52:51AM +0200, Rasmus Villemoes wrote: > With a suitable sequence of malicious packets, it's currently possible > to get a hole descriptor to contain arbitrary attacker-controlled > contents, and then with one more packet to use that as an arbitrary > write vector. > > While one could possibly change the algorithm so we instead loop over > all holes, and in each hole puts as much of the current fragment as > belongs there (taking care to carefully update the hole list as > appropriate), it's not worth the complexity: In real, non-malicious > scenarios, one never gets overlapping fragments, and certainly not > fragments that would be supersets of one another. > > So instead opt for this simple protection: Simply don't allow the > eventual memcpy() to write beyond the last_byte of the current hole. > > Signed-off-by: Rasmus Villemoes <rasmus.villem...@prevas.dk>
Applied to u-boot/master, thanks! -- Tom
signature.asc
Description: PGP signature
