2 vulnerabilities found in net/nfs.c (integer overflows leading to buffer overflow)
Daniel Cohen
danielcohen627 at gmail.com
Mon Oct 6 15:24:46 CEST 2025
Hi, I'm Daniel,
I found two vulnerabilities that could get triggered through the nfs
driver, in the functions:
1. nfs_readlink_reply
2. nfs_lookup_reply
https://github.com/u-boot/u-boot/commit/cf3a4f1e86ecdd24f87b615051b49d8e1968c230
https://github.com/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078
In the commits you can see the two functions have integer overflow in the
bound check before the memcpy, since rlen is signed int and controlled by
an attacker he can set rlen to a negative number and bypass the check:
if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) >
len)
I also created a PoC triggering both of the vulnerabilities from a
malicious remote server, leading to a crash in u-boot.
Tested on latest commit on the master branch: 72f72fa
This is my first vulnerability report,
so if I missed any additional information please let me know.
Best regards,
Daniel S. Cohen
LinkedIn <https://www.linkedin.com/in/unknownd4/> | GitHub
<https://github.com/UnknownD4>
More information about the U-Boot
mailing list