Was plain U-Boot affected by CVE-2023-39902?
Heinrich Schuchardt
xypron.glpk at gmx.de
Mon Jun 23 17:26:18 CEST 2025
On 23.06.25 17:13, Tom Rini wrote:
> On Thu, Jun 19, 2025 at 09:35:25AM +0200, Rolf Eike Beer wrote:
>> Hi all,
>>
>> for entirely unrelated reasons I came accross CVE-2023-39902:
>>
>>> A software vulnerability has been identified in the U-Boot Secondary Program
>>> Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under
>>> certain conditions, a crafted Flattened Image Tree (FIT) format structure
>>> can be used to overwrite SPL memory, allowing unauthenticated software to
>>> execute on the target, leading to privilege escalation.
>>
>> This links to https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196, which links 4
>> patches. The relevant one seems to me https://github.com/nxp-imx/uboot-imx/
>> commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited
>> understanding the actual fix is the first hunk.
>>
>> A similar change has been made in 6039e0edc8540bd2a ("imx: hab: Simplify the
>> mechanism"), so I wonder if this is just an unnoticed instance of the very
>> same bug?
>>
>> Opinions?
>
> Lets add the iMX folks..
>
MA-21597 check spl fit pointer before parsing it
https://github.com/nxp-imx/uboot-imx/commit/6cb283bb4e19da6667abaedd83efc23a15fdc48d
could be improved:
The check should better be in fit_config_verify() to cover all usages.
Best regards
Heinrich
More information about the U-Boot
mailing list