On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote: > Dear U-Boot Maintainers, > > I'm Sin Liang Lee, a member of Team Atlanta<https://team-atlanta.github.io/> > from Georgia Institute of Technology, winners of DARPA's AI Cyber Challenge > (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to submit a > vulnerability report that we identified using our system, ATLANTIS, in your > project. This effort is part of DARPA's initiative to apply competition > technologies to real-world open source projects. > > We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic > vulnerability detection and repair. Using a combination of targeted fuzzing > (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we identified > four buffer overflow vulnerabilities in the U-Boot NFS client reply parsers > (net/nfs-common.c). These affect the current upstream codebase and include a > signedness bypass of the mitigation introduced for CVE-2019-14193.
Ah, so that explains the squashfs report last week. I am glad to see that part of the challenge now is fixing and not just reporting the issues. Please see https://docs.u-boot.org/en/latest/develop/sending_patches.html for how to correctly submit patches to the project. And while we do not currently have formal guidelines around AI-assisted contributions, please see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst for how the Linux Kernel expects things to be attributed and note that we also are requesting that the commit message be human and not AI-written/assisted. Thanks! -- Tom
signature.asc
Description: PGP signature
