[SECURITY][1/4] Stack buffer overflow in NanoPi2 board code (CONFIG_SYS_CBSIZE-dependent)
Tom Rini
trini at konsulko.com
Thu Mar 26 22:08:17 CET 2026
On Thu, Mar 26, 2026 at 04:41:04AM +0000, Tra Ngo wrote:
> Dear U-Boot maintainers,
>
> I would like to report a potential stack buffer overflow in the NanoPi2 board code (board/friendlyarm/nanopi2/board.c, bd_update_env()).
>
> The issue arises from unbounded sprintf()/strcpy() calls on a buffer sized by CONFIG_SYS_CBSIZE, where initial size checks do not account for subsequent appends.
>
> This is configuration-dependent and can lead to overflow under certain settings.
>
> I have attached a detailed analysis, including root cause, reproduction, and suggested fix.
>
> This is part of a set of related configuration-dependent issues; I will report others in separate emails.
>
> Please let me know if you would like a patch or further details.
Thanks for this, and the other report. Please take a look at
https://docs.u-boot.org/en/latest/develop/sending_patches.html for
submitting patches to address these problems, and perhaps we need to
look a bit more generically at solutions? A common part of your reports
was that if we configure SYS_CBSIZE in a specific manner, then we have
problems.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260326/9875e46e/attachment.sig>
More information about the U-Boot
mailing list