Skip to content

Instantly share code, notes, and snippets.

View deephooloovoo's full-sized avatar

Hooloovoo deephooloovoo

  • Temporarily refracted into a free-standing prism
View GitHub Profile
@deephooloovoo
deephooloovoo / cvedesc.txt
Last active October 24, 2019 15:15
Description of CVE-2019-13103 through CVE-2019-13106
Found by Paul Emge and Zion Basque at ForAllSecure
CVE-2019-13103:
There is a stack overflow when reading a DOS partition table which refers to itself. This causes part_get_info_extended to call itself repeatedly with the same arguments, causing unbounded stack growth. In the sandbox configuration, this results in a segfault. On QEMU's vexpress-a15 board, the CPU returns to 0 but continues executing NOPs until it hits data and executes it. By analyzing the code, it appears as if it affects all versions of u-boot in the archives.
CVE-2019-13104:
At ext4fs.c:74 it is possible for len to underflow while listing files in a crafted filesystem. If this happens, eventually there is a memcpy with a negative (so effectively infinite) length. This causes all of memory to be overwritten until, on the sandbox, it segfaults. On a real platform, I'm not sure what would happen, but there's definitely memory corruption. This affects versions 2016.11-rc1 through 2019.07-rc4.
CVE-2019-13105:
If there is an invalid/out-of bo