2 Aug
2023
2 Aug
'23
10:16 p.m.
Hello.
I was analyzing CVE-2019-14194 and I think the patch can be bypassed. patch https://source.denx.de/u-boot/u-boot/-/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078
In nfs_read_reply, rlen is signed int. So we can make it less than zero. The value less than zero can bypass the check at line 756. This will lead to overflow due that assign has an unsigned int len parameter.
For example -1 will become 0xffffffff.
[image: nfs_read_reply_cve_2019_14194.png]
I've constructed some code to prove this.
[image: nfs_read_reply_cve_2019_14194_bypass.png]
[image: nfs_read_reply_cve_2019_14194_3.png]
Thanks.
