On 27/02/2026 23:07, Tom Rini wrote:
> On Fri, Feb 27, 2026 at 09:28:44PM +0000, Lee, Sin Liang wrote:
>
>> Thank you for the quick response. We will follow the submission guidelines
>> for our fixes and attribution.
>> In the meantime, would you be able to confirm the reported vulnerabilities
>> on your side? That would help us make sure we are aligned on impact and
>> scope as we finalize the fixes.
>
> I'm adding our networking custodian to the thread, for when he has time
> to take a look.
Thanks Tom. Where can I find the report?
Thanks,
--
Jerome
>
>> Regards,
>> Sin Liang
>>
>>
>> ________________________________
>> From: Tom Rini
>> Sent: Friday, February 27, 2026 1:42 PM
>> To: Lee, Sin Liang
>> Cc: [email protected]; Kim, Taesoo; Zhang, Cen; [email protected];
>> [email protected]
>> Subject: Re: Security Disclosure: Multiple buffer overflow vulnerabilities
>> in NFS client
>>
>> On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote:
>>
>>> Dear U-Boot Maintainers,
>>>
>>> I'm Sin Liang Lee, a member of Team
>>> Atlanta<https://uk01.z.antigena.com/l/FkXD3Ugm3o395hSGihLLjAsEOr97ZZG9yHPkWSFCru6du~q0rO0A9lPeOIDFs~icGGG2cauetha9bTyQwPhsFDZCxgr_yTluQpnzuqlBqPPnhsEacg7k~eV3QgS3i-KPZYPgSLmwQm6FkD_rnc79dT_wGaI2_RcoAV-FtVTtR5ZERydkTR2aruAxMSROlBu62FMJeds3
>>> > from Georgia Institute of Technology, winners of DARPA's AI Cyber
>>> Challenge (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to
>>> submit a vulnerability report that we identified using our system,
>>> ATLANTIS, in your project. This effort is part of DARPA's initiative to
>>> apply competition technologies to real-world open source projects.
>>>
>>> We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic
>>> vulnerability detection and repair. Using a combination of targeted fuzzing
>>> (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we
>>> identified four buffer overflow vulnerabilities in the U-Boot NFS client
>>> reply parsers (net/nfs-common.c). These affect the current upstream
>>> codebase and include a signedness bypass of the mitigation introduced for
>>> CVE-2019-14193.
>>
>> Ah, so that explains the squashfs report last week. I am glad to see
>> that part of the challenge now is fixing and not just reporting the
>> issues. Please see
>> https://docs.u-boot.org/en/latest/develop/sending_patches.html for how
>> to correctly submit patches to the project. And while we do not
>> currently have formal guidelines around AI-assisted contributions,
>> please see:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst
>> for how the Linux Kernel expects things to be attributed and note that
>> we also are requesting that the commit message be human and not
>> AI-written/assisted. Thanks!
>>
>> --
>> Tom
>
IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.
