[SECURITY][2/4] Buffer overflow in CLI boot retry path (CONFIG_SYS_CBSIZE-dependent)
Tra Ngo
S4210155 at student.rmit.edu.au
Thu Mar 26 05:41:06 CET 2026
Dear U-Boot maintainers,
I would like to report a potential buffer overflow in the CLI boot retry path involving console_buffer in common/cli_readline.c and common/cli_hush.c.
The issue arises from an unbounded strcpy() into a buffer sized by CONFIG_SYS_CBSIZE, which may be smaller than the injected command string.
This is configuration-dependent and can lead to memory corruption under certain settings.
I have attached a detailed analysis, including root cause, reproduction, and suggested fix.
This is part of a set of related configuration-dependent issues; I will report others in separate emails.
Please let me know if you would like a patch or further details.
Best regards,
Ngo Tra
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UCCG-UBOOT-02.md
Type: application/octet-stream
Size: 5323 bytes
Desc: UCCG-UBOOT-02.md
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260326/2701f8d1/attachment.obj>
More information about the U-Boot
mailing list