Skip to content

Instantly share code, notes, and snippets.

View mahaloz's full-sized avatar

Zion Leonahenahe Basque mahaloz

View GitHub Profile
@mahaloz
mahaloz / cvedesc.txt
Last active October 22, 2019 18:31 — forked from deephooloovoo/cvedesc.txt
Description of CVE-2019-13103 through CVE-2019-13106
Found by Paul Emge and Zion Basque at ForAllSecure
CVE-2019-13103:
There is a stack overflow when reading a DOS partition table which refers to itself. This causes part_get_info_extended to call itself repeatedly with the same arguments, causing unbounded stack growth. In the sandbox configuration, this results in a segfault. On QEMU's vexpress-a15 board, the CPU returns to 0 but continues executing NOPs until it hits data and executes it. By analyzing the code, it appears as if it affects all versions of u-boot in the archives.
CVE-2019-13104:
At ext4fs.c:74 it is possible for len to underflow while listing files in a crafted filesystem. If this happens, eventually there is a memcpy with a negative (so effectively infinite) length. This causes all of memory to be overwritten until, on the sandbox, it segfaults. On a real platform, I'm not sure what would happen, but there's definitely memory corruption. This affects versions 2016.11-rc1 through 2019.07-rc4.
CVE-2019-13105:
If there is an invalid/out-of bo

Keybase proof

I hereby claim:

  • I am mahaloz on github.
  • I am mahaloz (https://keybase.io/mahaloz) on keybase.
  • I have a public key ASBpTQNGyDNgEiPMrg8EioC8SfToIKQg9PXrGmtZYt_fcgo

To claim this, I am signing this object: