Allele Security Alert
ASA-2019-00482
Identifier(s)
ASA-2019-00482, CVE-2019-14195
Title
Unbounded memcpy with an unvalidated length at nfs_readlink_reply()
Vendor(s)
DENX Software Engineering
Product(s)
Das U-Boot
Affected version(s)
Unknown
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply(), in the else block after calculating the new path length.
Technical details
The problem exists in the nfs_readlink_reply() function that parses an nfs reply coming from the network. It parses 4 bytes and, without any further validation, it uses them as length for a memcpy in two different locations.
static int nfs_readlink_reply(uchar *pkt, unsigned len)
{
[...]
/* new path length */
rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
int pathlen;
strcat(nfs_path, "/");
pathlen = strlen(nfs_path);
memcpy(nfs_path + pathlen,
(uchar *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset]),
rlen);
nfs_path[pathlen + rlen] = 0;
} else {
memcpy(nfs_path,
(uchar *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset]),
rlen);
nfs_path[rlen] = 0;
}
return 0;
}
The destination buffer nfs_path is a global one that can hold up to 2048 bytes.
Credits
Fermín Serna, Pavel Avgustinov and Kevin Backhouse
Reference(s)
U-Boot RCE Vulnerabilities Affecting IoT Devices
https://blog.semmle.com/uboot-remote-code-execution-vulnerability/
U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
https://blog.semmle.com/uboot-rce-nfs-vulnerability/
[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
https://lists.denx.de/pipermail/u-boot/2019-July/378001.html
CVE-2019-14195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14195
CVE-2019-14195
https://nvd.nist.gov/vuln/detail/CVE-2019-14195
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 8, 2019