ASA-2019-00484 – Das U-Boot: Read out-of-bound data at nfs_read_reply()


Allele Security Alert

ASA-2019-00484

Identifier(s)

ASA-2019-00484, CVE-2019-14197

Title

Read out-of-bound data at nfs_read_reply()

Vendor(s)

DENX Software Engineering

Product(s)

Das U-Boot

Affected version(s)

Unknown

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

There is a read of out-of-bounds data at nfs_read_reply().

Technical details

The function nfs_read_reply() doesn’t check there was enough data in the source buffer, leading to a potential read out-of-bounds access violation.

static int nfs_read_reply(uchar *pkt, unsigned len)
{
    struct rpc_t rpc_pkt;

    [...]

        memcpy(&rpc_pkt.u.data[0], pkt, sizeof(rpc_pkt.u.reply));

An attacker could supply an NFS packet with a read request and with a small packet request sent to the socket.

Credits

Fermín Serna, Pavel Avgustinov and Kevin Backhouse

Reference(s)

U-Boot RCE Vulnerabilities Affecting IoT Devices
https://blog.semmle.com/uboot-remote-code-execution-vulnerability/

U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
https://blog.semmle.com/uboot-rce-nfs-vulnerability/

[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
https://lists.denx.de/pipermail/u-boot/2019-July/378001.html

CVE-2019-14197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14197

CVE-2019-14197
https://nvd.nist.gov/vuln/detail/CVE-2019-14197

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.