On Wed, May 20, 2026 at 12:27:00PM +0100, Anton Ivanov wrote: > Hello U-Boot maintainers, > > Binarly Research has identified several vulnerabilities affecting the > U-Boot FIT image signature verification logic: > [BRLY-2026-037] Null pointer dereference and potential stack buffer > overflow in U-Boot during FIT image signature verification in > `fdt_find_regions` > [BRLY-2026-038] Stack buffer underflow in U-Boot during FIT image signature > verification in `fdt_find_regions` > [BRLY-2026-039] Denial of service in U-Boot during FIT image signature > verification because of unchecked `size` value of `hashed-strings` property > [BRLY-2026-040] Denial of service in U-Boot during FIT image signature > verification because of null pointer dereference in `fdt_find_regions` > [BRLY-2026-041] Denial of service in U-Boot during FIT image signature > verification because of unchecked properties of image external data > [BRLY-2026-042] Unbounded recursion in `fdt_check_no_at` during FIT format > validation > > The detailed reports are attached. Feel free to reach out if you have any > further questions.
This sounds like what came in yesterday with: https://lore.kernel.org/u-boot/0100019e40e72ac1-c3d57c2e-cac3-4f65-a98f-f1c6173c047d-000...@email.amazonses.com/ And so I'll repeat myself here. First, the current stance of this project with respect to AI is, "please don't" and is well explained over on https://docs.postmarketos.org/policies-and-processes/development/ai-policy.html Second, if you're going to use an AI tool anyhow, please read https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36d49bba19f2c19c933d13b25dcf4eb607a030b3 and specifically the section titled "Responsible use of AI to find bugs". Finally, our normal patch submission process is documented at https://docs.u-boot.org/en/latest/develop/sending_patches.html Thanks. -- Tom
signature.asc
Description: PGP signature
