CVE-2019-14194 patch bypass

Tom Rini trini at konsulko.com
Tue Dec 26 15:34:35 CET 2023


On Wed, Aug 02, 2023 at 11:16:17PM +0300, sploit em wrote:

> Hello.
> 
> I was analyzing CVE-2019-14194 and I think the patch can be bypassed.
> patch
> <https://source.denx.de/u-boot/u-boot/-/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078>
> 
> In nfs_read_reply, rlen is signed int. So we can make it less than zero.
> The value less than zero can bypass the check at line 756. This will lead
> to overflow due that assign has an unsigned int len parameter.
> 
> For example -1 will become 0xffffffff.
> 
> [image: nfs_read_reply_cve_2019_14194.png]
> 
> 
> I've constructed some code to prove this.
> 
> [image: nfs_read_reply_cve_2019_14194_bypass.png]
> 
> [image: nfs_read_reply_cve_2019_14194_3.png]
> 
> Thanks.

Good find.  A patch to resolve this issue, by someone with an eye
towards other ways the problem could be exploited again so that this
time we don't have other avenues of attack open, would be appreciated.
Thanks.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20231226/814b7394/attachment.sig>


More information about the U-Boot mailing list