ASA-2019-00481 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

Allele Security Alert



ASA-2019-00481, CVE-2019-14194


Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()


DENX Software Engineering


Das U-Boot

Affected version(s)


Fixed version(s)


Proof of concept



The problem exists in the NFSv2 case if the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.

Technical details

static int nfs_read_reply(uchar *pkt, unsigned len)
{        [...]

    if (supported_nfs_versions & NFSV2_FLAG) {
        rlen = ntohl([18]); // <-- rlen is attacker-controlled could be 0xFFFFFFFF
        data_ptr = (uchar *)&([19]);
    } else {  /* NFSV3_FLAG */
        int nfsv3_data_offset =

        /* count value */
        rlen = ntohl([1 + nfsv3_data_offset]); // <-- rlen is attacker-controlled
        /* Skip unused values :
            EOF:        32 bits value,
            data_size:  32 bits value,
        data_ptr = (uchar *)
            &([4 + nfsv3_data_offset]);

    if (store_block(data_ptr, nfs_offset, rlen)) // <-- We pass to store_block source and length controlled by the attacker
            return -9999;


Focusing on physical memory part of the store_block() function, it attempts to reserve some memory using the arch specific function map_physmem(), ending up calling phys_to_virt(). As you can see in the x86 implementation, when reserving physical memory it clearly ignores length and gives you a raw pointer without checking if surrounding areas are reserved (or not) for other purposes.

static inline void *phys_to_virt(phys_addr_t paddr)
        return (void *)(unsigned long)paddr;
static inline int store_block(uchar *src, unsigned offset, unsigned len)


 void *ptr = map_sysmem(load_addr + offset, len); // <-- essentially this is ptr = load_addr + offset
 memcpy(ptr, src, len); // <-- unrestricted overflow happens here




Fermín Serna, Pavel Avgustinov and Kevin Backhouse


U-Boot RCE Vulnerabilities Affecting IoT Devices

U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)

[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.