Advisory ID:               SYSS-2026-041
Product:                   Das U-Boot ("the universal boot loader")
Manufacturer:              DENX Software Engineering / U-Boot project
Affected Version(s):       versions containing commit a1596438a689
                           ("ext4fs ls load support"), including
                           v2012.10 and master at commit 987907ae4bcc
                           (v2026.07-rc3-00008), when ext4 filesystem
                           loading is enabled
Tested Version(s):         master at 987907ae4bcc
                           (v2026.07-rc3-00008)
Vulnerability Type:        Out-of-bounds Read (CWE-125)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2026-06-10
Solution Date:             (pending)
Public Disclosure:         (pending)
CVE Reference:             Not yet assigned
Author of Advisory:        Robin Trost, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Das U-Boot is a widely deployed open-source bootloader for embedded
devices.

The manufacturer describes the product as follows (see [1]):

"Das U-Boot, often shortened to U-Boot, is a free, open-source and
extensible boot loader available for many architectures (ARM, MIPS,
PowerPC, RISC-V, x86, x86_64), whose purpose is to perform various
hardware initialization tasks and boot the device's operating system
kernel."

U-Boot's ext4 filesystem reader does not validate the number of extent
leaf entries supplied by an on-disk ext4 extent header. A crafted ext4
filesystem can therefore make U-Boot read beyond the extent container
while loading a file.

The out-of-bounds bytes are interpreted as additional ext4_extent
records. If such an interpreted record matches the requested file block,
U-Boot uses the attacker-influenced physical block number for the file
load. In boot configurations that load boot scripts, kernels, FIT images
or other boot artifacts from attacker-controlled ext4 media, this can
redirect the boot load to attacker-controlled disk blocks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The vulnerable code is in read_allocated_block() in
fs/ext4/ext4_common.c. When an inode uses extents, U-Boot obtains an
extent leaf and iterates over ext_block->eh_entries:

  extent = (struct ext4_extent *)(ext_block + 1);

  for (i = 0; i < le16_to_cpu(ext_block->eh_entries); i++) {
          startblock = le32_to_cpu(extent[i].ee_block);
          endblock = startblock + le16_to_cpu(extent[i].ee_len);

          if (startblock > fileblock) {
                  return 0;
          } else if (fileblock < endblock) {
                  start = le16_to_cpu(extent[i].ee_start_hi);
                  start = (start << 32) +
                          le32_to_cpu(extent[i].ee_start_lo);
                  return (fileblock - startblock) + start;
          }
  }

The value eh_entries is fully controlled by the ext4 image. U-Boot only
checks the extent magic in ext4fs_get_extent_block(). It does not check
that:

  - eh_entries is less than or equal to eh_max, or
  - eh_max fits the physical container holding the extent header.

For an inode-resident leaf, the physical container is the 60-byte
i_block area of struct ext2_inode. It can hold one 12-byte extent
header and four 12-byte extent records. For a block-resident leaf, the
container is the filesystem block loaded into the extent cache.

By setting eh_entries above the real capacity, an attacker can make the
loop read adjacent inode fields, adjacent heap memory or allocator
metadata as if they were struct ext4_extent records:

  ee_block     first logical block covered by the extent
  ee_len       number of logical blocks covered by the extent
  ee_start_hi  high 16 bits of the physical block number
  ee_start_lo  low 32 bits of the physical block number

When the interpreted ee_block/ee_len range covers the requested
fileblock, the interpreted ee_start value is returned to
ext4fs_read_file(). ext4fs_read_file() then reads that physical disk
block into the caller-supplied destination address.

An attacker might abuse this vulnerability to load bytes from an 
attacker-selected hidden physical block. 

This bug is reachable through stock ext4 filesystem load paths, for
example:

  ext4load host 0 0x1000000 /boot.scr
  ext4load mmc 0:1 ${kernel_addr_r} /boot/Image
  boot flows that load extlinux.conf, boot.scr, FIT images or kernels
  from an ext4 boot partition

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The malicious image (syss_oob.img) demonstrates the raw out-of-bounds
 read. The file /pwn uses an inode-resident extent leaf that declares:

  eh_magic   = 0xF30A
  eh_depth   = 0
  eh_max     = 4
  eh_entries = 0xFFFF

Only one zero-length extent is present. 

The command (`mw.b`) fills the destination buffer with 0x42 bytes before
ext4load. After ext4load, the buffer is zero-filled instead of containing
the original /pwn bytes, showing that the unbounded leaf walk interpreted
data outside the four-entry i_block extent container as an extent and 
selected the sparse-block path.

#~ setarch -R ./u-boot
[...]
=> host bind 0 artifacts/syss_oob.img
=> mw.b 0x1000000 0x42 0x40
=> ext4load host 0 0x1000000 /pwn
15 bytes read in 0 ms
=> md.b 0x1000000 0x40;
01000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42  ...............B
01000010: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
01000020: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
01000030: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

-

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2026-06-10: Vulnerability reported to manufacturer
2026-XX-XX: Patch released by manufacturer
2026-XX-XX: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for "Das U-Boot"
    https://u-boot.org/
[2] SySS Security Advisory SYSS-2026-041
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-041.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Robin Trost of SySS
GmbH.

E-Mail: robin.trost@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Robin_Trost.asc
Key ID: 0x698E6EB3
Key Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
