Allele Security Alert
Arbitrary memory write due to insufficient address validation
NVIDIA Jetson TX1
NVIDIA Jetson TX1 release branch R32 before R32.2 running on Linux for Tegra
NVIDIA Jetson TX1 version R32.2
Proof of concept
NVIDIA Tegra bootloader contains a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service, or escalation of privileges.
After checking the magic in the header, the nvtboot reads the entire TBC partition (size stored in the GPT) where LoadAddressInsecure points to. If that points to nvtboot in the memory, it’s possible to overwrite it, leading to unsigned code execution on the BPMP. This can be used to load the rest of the bootchain without checking the signatures.
Security Bulletin: NVIDIA Jetson TX1 L4T – July 2019
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 25, 2019