On Tue, May 12, 2026 at 11:39:32AM +0100, Paul Barker wrote: > Hi folks, > > We recently had a patch sent to Yocto Project to backport a fix for > CVE-2025-24857 to our Scarthgap branch which uses U-Boot 2024.01. > Looking at the CVE info, this has confused me a lot. It says [1]: > > Improper access control for volatile memory containing boot code in > Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips > IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 > could allow an attacker to execute arbitrary code. > > The NVD page says it affects U-Boot "Up to (excluding) 2017.11". > > But, the patch that says it addresses CVE-2025-24867 was committed to > U-Boot in December 2025 [2]. The first release containing this patch was > v2026.01. > > Is this commit actually needed to resolve that CVE? Or is it some other > change back in 2017 that fixed the issue? (A yes/no is fine, I don't > need a link to the exact commit) > > [1]: https://nvd.nist.gov/vuln/detail/CVE-2025-24857 > [2]: > https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2
This is a "funny" one. The reference to v2017.11 is due to when we had a
large rework of the FAT code and so the most obvious way to trigger the
problem was removed. The changes in commit 87d85139a96a ("fs: fat:
Perform sanity checks on getsize in get_fatent()") may, or may not, be
only a sanity check against performing similar attacks. So yes, it would
make sense for Scarthgap to have this change.
--
Tom
signature.asc
Description: PGP signature
