ASA-2018-00022 – U-Boot: Insufficient boundary checks in network image boot

The U-Boot bootloader supports kernel loading from a variety of network sources, such as TFTP via the `tftpboot` command. This command does not protect system memory from being overwritten when loading files of a length that exceeds the boundaries of the relocated U-Boot memory region, filled with the loaded file starting from the passed `loadAddr` variable. Therefore an excessively large boot image, served over TFTP, can be crafted to overwrite all U-Boot static and runtime memory segments, and in general all device addressable memory starting from the `loadAddr` load address argument. The memory overwrite can directly lead to arbitrary code execution, fully controlled by the contents of the loaded image. When verified boot is implemented, the issue allows to bypass its intended validation as the memory overwrite happens before any validation can take place.