From mboxrd@z Thu Jan  1 00:00:00 1970
From: Frank Wunderlich <frank-w@public-files.de>
Date: Fri, 21 Dec 2018 14:09:13 +0100
Subject: [U-Boot] [PATCH v9 10/10] arm: bootm: fix sp detection at end
 of address range
In-Reply-To: <CAAh8qsyzoK=BbHCtyUS7VrsWBDnBG7pSj1cWhJBqaYmjSV7txQ@mail.gmail.com>
References: <20181219190009.23265-1-simon.k.r.goldschmidt@gmail.com>
 <20181219190009.23265-11-simon.k.r.goldschmidt@gmail.com>
 <trinity-a3361f32-e9ba-4c44-85be-209569eaa1f5-1545395288949@3c-app-gmx-bs72>
 <CAAh8qsyzoK=BbHCtyUS7VrsWBDnBG7pSj1cWhJBqaYmjSV7txQ@mail.gmail.com>
Message-ID: <trinity-3b64c70a-ee03-4c26-a083-f341454c42d9-1545397753666@3c-app-gmx-bs72>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
To: u-boot@lists.denx.de

just a thought, that someone load a script from tftp (scr) which will be executed locally and imho can also contain mw-commands (like my one adding 0-characters). this can be modified from remote...

i will not say that this have to be done, just a thought :)

for loading from filesystem/fat with modified address there is also the need for local access right? or do you mean that this can be modified (local uenv.txt) from operation system and applied by next reboot?
 
regards Frank
 

Gesendet: Freitag, 21. Dezember 2018 um 13:56 Uhr
Von: "Simon Goldschmidt" <simon.k.r.goldschmidt@gmail.com>

Well, the idea of the CVE was that you can overwrite U-Boot in RAM without actually having access. You "only" need to control the file system or tftp server.
 
When doing 'mw', you actually need to have access to the U-Boot shell. That's a different level. I'm not sure we need to limit access there...