Allele Security Alert
Unbounded memcpy with a failed length check at nfs_lookup_reply()
DENX Software Engineering
Proof of concept
This problem exists in the nfs_lookup_reply() function that again parses an nfs reply coming from the network. It parses 4 bytes and uses them as length for a memcpy in two different locations.
A length check happens to make sure it is not bigger than the allocated buffer. Unfortunately, this check can be bypassed with a negative value that would lead later to a large buffer overflow.
filefh3_length = ntohl(rpc_pkt.u.reply.data\); if (filefh3_length > NFS3_FHSIZE) filefh3_length = NFS3_FHSIZE; memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
Fermín Serna, Pavel Avgustinov and Kevin Backhouse
U-Boot RCE Vulnerabilities Affecting IoT Devices
U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 8, 2019