[SECURITY][1/4] Stack buffer overflow in NanoPi2 board code (CONFIG_SYS_CBSIZE-dependent)
Tra Ngo
S4210155 at student.rmit.edu.au
Thu Mar 26 05:41:04 CET 2026
Dear U-Boot maintainers,
I would like to report a potential stack buffer overflow in the NanoPi2 board code (board/friendlyarm/nanopi2/board.c, bd_update_env()).
The issue arises from unbounded sprintf()/strcpy() calls on a buffer sized by CONFIG_SYS_CBSIZE, where initial size checks do not account for subsequent appends.
This is configuration-dependent and can lead to overflow under certain settings.
I have attached a detailed analysis, including root cause, reproduction, and suggested fix.
This is part of a set of related configuration-dependent issues; I will report others in separate emails.
Please let me know if you would like a patch or further details.
Best regards,
Ngo Tra
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UCCG-UBOOT-01.md
Type: application/octet-stream
Size: 4918 bytes
Desc: UCCG-UBOOT-01.md
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260326/1d17eba3/attachment.obj>
More information about the U-Boot
mailing list