Allele Security Alert
ASA-2019-00483
Identifier(s)
ASA-2019-00483, CVE-2019-14196
Title
Unbounded memcpy with a failed length check at nfs_lookup_reply()
Vendor(s)
DENX Software Engineering
Product(s)
Das U-Boot
Affected version(s)
Unknown
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
This problem exists in the nfs_lookup_reply() function that again parses an nfs reply coming from the network. It parses 4 bytes and uses them as length for a memcpy in two different locations.
Technical details
A length check happens to make sure it is not bigger than the allocated buffer. Unfortunately, this check can be bypassed with a negative value that would lead later to a large buffer overflow.
filefh3_length = ntohl(rpc_pkt.u.reply.data\[1]);
if (filefh3_length > NFS3_FHSIZE)
filefh3_length = NFS3_FHSIZE;
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
Credits
Fermín Serna, Pavel Avgustinov and Kevin Backhouse
Reference(s)
U-Boot RCE Vulnerabilities Affecting IoT Devices
https://blog.semmle.com/uboot-remote-code-execution-vulnerability/
U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
https://blog.semmle.com/uboot-rce-nfs-vulnerability/
[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
https://lists.denx.de/pipermail/u-boot/2019-July/378001.html
CVE-2019-14196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14196
CVE-2019-14196
https://nvd.nist.gov/vuln/detail/CVE-2019-14196
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 8, 2019