[U-Boot] Kernel bootparam injection

Christian Litjes cflitjes at gmail.com
Fri Aug 21 13:02:29 CEST 2015


Dear Denx,

I've been working on an embedded system which starts over TFTP with an NFS
rootfs.

During the development I noticed that it's possible to inject bootparams in
to the dhcp messages.

If a system boots from NFS and I provide the following path to the nfs
share the extra bootparams will be executed aswell.

option root-path "/media/share/nfs/,tcp ro"

The ro parameter is put in to the kernel parameter as well and executed.

I'm using this hack currently on our own system into our advantage to
override the rw with ro in the kernel command line without the need of
recompiling uboot.
I'm going to plug this hole because it's a security risk for our product.
I've looked in the current uboot version and this is still a possibility.

My suggestion is to verify the options passed trough, these are separated
by "," and ignore anything with a space inside the rootpath.

If you agree this is an issue and have a suggestion for a solution. I will
supply the patch we are currently using for our own product.

Kind regards,
Christian Litjes


More information about the U-Boot mailing list