CVE-2019-14194 patch bypass
sploit em
sploitem at gmail.com
Wed Aug 2 22:16:17 CEST 2023
Hello.
I was analyzing CVE-2019-14194 and I think the patch can be bypassed.
patch
<https://source.denx.de/u-boot/u-boot/-/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078>
In nfs_read_reply, rlen is signed int. So we can make it less than zero.
The value less than zero can bypass the check at line 756. This will lead
to overflow due that assign has an unsigned int len parameter.
For example -1 will become 0xffffffff.
[image: nfs_read_reply_cve_2019_14194.png]
I've constructed some code to prove this.
[image: nfs_read_reply_cve_2019_14194_bypass.png]
[image: nfs_read_reply_cve_2019_14194_3.png]
Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs_read_reply_cve_2019_14194.png
Type: image/png
Size: 41606 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230802/ef8ef1b3/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs_read_reply_cve_2019_14194_bypass.png
Type: image/png
Size: 106581 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230802/ef8ef1b3/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs_read_reply_cve_2019_14194_3.png
Type: image/png
Size: 178600 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230802/ef8ef1b3/attachment-0005.png>
More information about the U-Boot
mailing list