ASA-2019-00489 – Das U-Boot: Stack-based buffer overflow in the nfs_handler reply helper function: nfs_readlink_reply()

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00489

Identifier(s)

ASA-2019-00489, CVE-2019-14202

Title

Stack-based buffer overflow in the nfs_handler reply helper function: nfs_readlink_reply()

Vendor(s)

DENX Software Engineering

Product(s)

Das U-Boot

Affected version(s)

Unknown

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

There is a stack-based buffer overflow in the nfs_handler reply helper function: nfs_readlink_reply().

Technical details

This function blindly uses the length without validation, causing a stack-based buffer overflow.

static int nfs_readlink_reply(uchar *pkt, unsigned len)
{
    struct rpc_t rpc_pkt;

    [...]

        memcpy((unsigned char *)&rpc_pkt, pkt, len);

Credits

Fermín Serna, Pavel Avgustinov and Kevin Backhouse

Reference(s)

U-Boot RCE Vulnerabilities Affecting IoT Devices
https://blog.semmle.com/uboot-remote-code-execution-vulnerability/

U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
https://blog.semmle.com/uboot-rce-nfs-vulnerability/

[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
https://lists.denx.de/pipermail/u-boot/2019-July/378001.html

CVE-2019-14202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14202

CVE-2019-14202
https://nvd.nist.gov/vuln/detail/CVE-2019-14202

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 11, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.