summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon Goldschmidt <simon.k.r.goldschmidt@gmail.com>2019-01-26 22:13:04 +0100
committerTom Rini <trini@konsulko.com>2019-02-02 08:19:17 -0500
commit9cc2323feebdde500f50f7abb855045dbde765cb (patch)
tree7d4c0bf226c098a560620457a6e4a96321a47bee
parente3b4fc9598388f47632a8c802aaa68b1154526f2 (diff)
downloadu-boot-9cc2323feebdde500f50f7abb855045dbde765cb.tar.gz
lmb: handle more than one DRAM BANK
This fixes the automatic lmb initialization and reservation for boards with more than one DRAM bank. This fixes the CVE-2018-18439 and -18440 fixes that only allowed to load files into the firs DRAM bank from fs and via tftp. Found-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Simon Glass <sjg@chromium.org>
-rw-r--r--common/bootm.c4
-rw-r--r--fs/fs.c3
-rw-r--r--include/lmb.h7
-rw-r--r--lib/lmb.c37
-rw-r--r--net/tftp.c3
5 files changed, 41 insertions, 13 deletions
diff --git a/common/bootm.c b/common/bootm.c
index a4618b6d2e..7c7505f092 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -59,8 +59,8 @@ static void boot_start_lmb(bootm_headers_t *images)
mem_start = env_get_bootm_low();
mem_size = env_get_bootm_size();
- lmb_init_and_reserve(&images->lmb, (phys_addr_t)mem_start, mem_size,
- NULL);
+ lmb_init_and_reserve_range(&images->lmb, (phys_addr_t)mem_start,
+ mem_size, NULL);
}
#else
#define lmb_reserve(lmb, base, size)
diff --git a/fs/fs.c b/fs/fs.c
index c05e6c85ed..0e9c2f1062 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -454,8 +454,7 @@ static int fs_read_lmb_check(const char *filename, ulong addr, loff_t offset,
if (len && len < read_len)
read_len = len;
- lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
- gd->bd->bi_dram[0].size, (void *)gd->fdt_blob);
+ lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob);
lmb_dump_all(&lmb);
if (lmb_alloc_addr(&lmb, addr, read_len) == addr)
diff --git a/include/lmb.h b/include/lmb.h
index e87c0b0ada..3b338dfee0 100644
--- a/include/lmb.h
+++ b/include/lmb.h
@@ -4,6 +4,8 @@
#ifdef __KERNEL__
#include <asm/types.h>
+#include <asm/u-boot.h>
+
/*
* Logical memory blocks.
*
@@ -29,8 +31,9 @@ struct lmb {
};
extern void lmb_init(struct lmb *lmb);
-extern void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base,
- phys_size_t size, void *fdt_blob);
+extern void lmb_init_and_reserve(struct lmb *lmb, bd_t *bd, void *fdt_blob);
+extern void lmb_init_and_reserve_range(struct lmb *lmb, phys_addr_t base,
+ phys_size_t size, void *fdt_blob);
extern long lmb_add(struct lmb *lmb, phys_addr_t base, phys_size_t size);
extern long lmb_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size);
extern phys_addr_t lmb_alloc(struct lmb *lmb, phys_size_t size, ulong align);
diff --git a/lib/lmb.c b/lib/lmb.c
index 7aff2c248f..b3b84e4d37 100644
--- a/lib/lmb.c
+++ b/lib/lmb.c
@@ -98,12 +98,8 @@ void lmb_init(struct lmb *lmb)
lmb->reserved.size = 0;
}
-/* Initialize the struct, add memory and call arch/board reserve functions */
-void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size,
- void *fdt_blob)
+static void lmb_reserve_common(struct lmb *lmb, void *fdt_blob)
{
- lmb_init(lmb);
- lmb_add(lmb, base, size);
arch_lmb_reserve(lmb);
board_lmb_reserve(lmb);
@@ -111,6 +107,37 @@ void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size,
boot_fdt_add_mem_rsv_regions(lmb, fdt_blob);
}
+/* Initialize the struct, add memory and call arch/board reserve functions */
+void lmb_init_and_reserve(struct lmb *lmb, bd_t *bd, void *fdt_blob)
+{
+#ifdef CONFIG_NR_DRAM_BANKS
+ int i;
+#endif
+
+ lmb_init(lmb);
+#ifdef CONFIG_NR_DRAM_BANKS
+ for (i = 0; i < CONFIG_NR_DRAM_BANKS; i++) {
+ if (bd->bi_dram[i].size) {
+ lmb_add(lmb, bd->bi_dram[i].start,
+ bd->bi_dram[i].size);
+ }
+ }
+#else
+ if (bd->bi_memsize)
+ lmb_add(lmb, bd->bi_memstart, bd->bi_memsize);
+#endif
+ lmb_reserve_common(lmb, fdt_blob);
+}
+
+/* Initialize the struct, add memory and call arch/board reserve functions */
+void lmb_init_and_reserve_range(struct lmb *lmb, phys_addr_t base,
+ phys_size_t size, void *fdt_blob)
+{
+ lmb_init(lmb);
+ lmb_add(lmb, base, size);
+ lmb_reserve_common(lmb, fdt_blob);
+}
+
/* This routine called with relocation disabled. */
static long lmb_add_region(struct lmb_region *rgn, phys_addr_t base, phys_size_t size)
{
diff --git a/net/tftp.c b/net/tftp.c
index eca801aa19..34488b76c8 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -606,8 +606,7 @@ static int tftp_init_load_addr(void)
struct lmb lmb;
phys_size_t max_size;
- lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start,
- gd->bd->bi_dram[0].size, (void *)gd->fdt_blob);
+ lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob);
max_size = lmb_get_free_size(&lmb, load_addr);
if (!max_size)