On May 27, 2026 7:55:58 PM GMT+01:00, "Lee, Brian J" <[email protected]> wrote: >Thank you for the acknowledgements! I apologize reproducing the PoC had >difficulties due to poor quality. I will make sure to improve that. Thank >you! > >Best regards, >Brian
Don't worry, it's not your fault. Asan just doesn't work for some reason :) >________________________________ >보낸 사람: Josh Law <[email protected]> >보낸 날짜: 2026년 5월 27일 수요일 오후 1:16 >받는 사람: [email protected] <[email protected]>; Lee, Brian J ><[email protected]>; [email protected] <[email protected]> >참조: Kim, Youngjoon <[email protected]> >제목: Re: U-Boot TFTP OACK option parser reads past unterminated values > >[[email protected] 전자 메일을 받지 않는 경우가 많습니다. >https://aka.ms/LearnAboutSenderIdentification ]에서 중요한 이유 알아보기 > >On May 27, 2026 5:17:43 PM GMT+01:00, "Lee, Brian J" ><[email protected]> wrote: >>Hello U-Boot Security Team, >> >>My name is Brian Lee, and I am a PhD Security Researcher in SSLab at >>Georgia Tech. I'd like to privately report a potential denial-of-service >>issue due to insufficient scan termination in OACK option parser in TFTP. >>A remote unauthenticated TFTP server selected by the U-Boot client, or an >>attacker able to spoof the expected server's first OACK to the client's >>TFTP source port, can send a single malformed OACK during an ordinary >TFTP >>get, boot, or update flow. >> >>Target: >> >> * >>Project: u-boot >> * >>Repo: >https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fu-boot%2Fu-boot&data=05%7C02%7Chibrian827%40gatech.edu%7C8045df0c917e421446b708debc13a9b9%7C482198bbae7b4b258b7a6d7f32faa083%7C1%7C0%7C639154989808357367%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=tYqLck9YuSDv199v05buMvw11w99PFocY2rIs69wDy8%3D&reserved=0<https://github.com/u-boot/u-boot> >> * >>Pinned ref: 215496fec59b3fa09256b4fb62f92af46e2ec7f9 >> >>Threat model: >> >>U-Boot documents TFTP boot/download commands and optional automatic TFTP >>update; a selected or spoofed TFTP server can send the first OACK without >>authentication. The required packet is a single malformed OACK during an >>ordinary TFTP RRQ flow, with no credentials or multi-step race beyond >>being the selected/spoofed server response. >> >>Attached: >> >> * >>README.md : full writeup. >> * >>poc/run.sh : allocates an exact-length TFTP packet containing opcode >>0x0006 (OACK), option name blksize, a NUL after the option name, and one >>value byte (5) without the required value-terminating NUL. It then calls >>the modeled tftp_handler() as the first server response to a client RRQ, >>with destination port 1069 and source port 69, matching the guard state >>that accepts an initial OACK before the remote port is pinned. >> * >>poc/inputs: the relevant files for running poc >> >>I would like to get help from your expertise to clarify whether this is a >>valid security threat or not. Thank you. >> >>Best Regards, >>Brian Lee >> >> > >Hey Brian, > >These bugs look plausible to me. > >If maintainers want fixes tags, > >For OACK: >Fixes: 53a5c424bf86 ("multicast tftp: RFC2090") > > >For short ack: >Fixes: 1fb7cd498e6a ("net: tftpput: implement tftp logic") > >I don't think the error case needs a fixes tag, it came up on the very >first commit. > > >I tried testing on my arm box using your script: > >AddressSanitizer: CHECK failed: sanitizer_allocator_primary64.h:131 > "((kSpaceBeg)) == ((address_range.Init(TotalSpaceSize, > PrimaryAllocatorName, kSpaceBeg)))" > (0x500000000000, 0xfffffffffffffff4) (tid=3186) > <empty stack> > > > >it seems to be a "my host" issue > > > >Note: I reproed under valgrind: > > >josh@armbox:~$ valgrind --quiet --error-exitcode=99 >/tmp/brian-u-boot-pocs/ > oack_vg; echo "exit=$?" > ==3366== Invalid read of size 1 > ==3366== at 0x108A08: dectoul (harness.c:33) > ==3366== by 0x108B93: tftp_handler (harness.c:119) > ==3366== by 0x108E8F: main (harness.c:182) > ==3366== Address 0x4a8f04b is 0 bytes after a block of size 11 alloc'd > ==3366== at 0x488545C: malloc (vg_replace_malloc.c:446) > ==3366== by 0x108E4B: main (harness.c:176) > > ==3366== Invalid read of size 1 > ==3366== at 0x488E7A4: __GI_strlen (vg_replace_strmem.c:506) > ==3366== by 0x491CC87: printf (printf.c:33) > ==3366== by 0x108BCF: tftp_handler (harness.c:120) > > Blocksize oack: 5, 5 > exit=99 > > josh@armbox:~$ valgrind --quiet --error-exitcode=99 /tmp/brian-u-boot-pocs/ > ack_vg; echo "exit=$?" > ==3367== Invalid read of size 2 > ==3367== at 0x108A1C: tftp_handler (uboot_tftp_ack_harness.c:67) > ==3367== by 0x108BEB: main (uboot_tftp_ack_harness.c:111) > ==3367== Address 0x4a8f042 is 0 bytes after a block of size 2 alloc'd > ==3367== at 0x488545C: malloc (vg_replace_malloc.c:446) > ==3367== by 0x108BA3: main (uboot_tftp_ack_harness.c:104) > > exit=99 > > josh@armbox:~$ valgrind --quiet --error-exitcode=99 /tmp/brian-u-boot-pocs/ > error_vg; echo "exit=$?" > ==3368== Invalid read of size 2 > ==3368== at 0x108A78: tftp_handler (uboot_tftp_error_harness.c:58) > > ==3368== Invalid read of size 1 > ==3368== at 0x488E788: __GI_strlen (vg_replace_strmem.c:506) > ==3368== by 0x491CC87: printf (printf.c:33) > ==3368== by 0x108A97: tftp_handler (uboot_tftp_error_harness.c:57) > > ==3368== Invalid read of size 2 > ==3368== at 0x108A9C: tftp_handler (uboot_tftp_error_harness.c:60) > > TFTP error: '' (0) > Starting again > > exit=99 > >Thanks! > Thanks!
