[SECURITY][3/4] Potential overflow in Toradex config block prompts (CONFIG_SYS_CBSIZE-dependent)
Tra Ngo
S4210155 at student.rmit.edu.au
Thu Mar 26 05:41:08 CET 2026
Dear U-Boot maintainers,
I would like to report a potential stack buffer overflow in board/toradex/common/tdx-cfg-block.c related to prompt string construction.
The issue arises from unbounded sprintf() calls into a buffer sized by CONFIG_SYS_CBSIZE, which may be smaller than the literal prompt strings.
This is configuration-dependent and can lead to overflow under certain settings.
I have attached a detailed analysis, including root cause, reproduction, and suggested fix.
This is part of a set of related configuration-dependent issues; I will report others in separate emails.
Please let me know if you would like a patch or further details.
Best regards,
Ngo Tra <https://aka.ms/GetOutlookForMac>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UCCG-UBOOT-03.md
Type: application/octet-stream
Size: 3243 bytes
Desc: UCCG-UBOOT-03.md
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260326/75b25f46/attachment.obj>
More information about the U-Boot
mailing list