* Was plain U-Boot affected by CVE-2023-39902?
@ 2025-06-19 7:35 Rolf Eike Beer
2025-06-23 15:13 ` Tom Rini
0 siblings, 1 reply; 4+ messages in thread
From: Rolf Eike Beer @ 2025-06-19 7:35 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]
Hi all,
for entirely unrelated reasons I came accross CVE-2023-39902:
> A software vulnerability has been identified in the U-Boot Secondary Program
> Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under
> certain conditions, a crafted Flattened Image Tree (FIT) format structure
> can be used to overwrite SPL memory, allowing unauthenticated software to
> execute on the target, leading to privilege escalation.
This links to https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196, which links 4
patches. The relevant one seems to me https://github.com/nxp-imx/uboot-imx/
commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited
understanding the actual fix is the first hunk.
A similar change has been made in 6039e0edc8540bd2a ("imx: hab: Simplify the
mechanism"), so I wonder if this is just an unnoticed instance of the very
same bug?
Opinions?
Regards,
Eike
--
Rolf Eike Beer
emlix GmbH
Headquarters: Berliner Str. 12, 37073 Göttingen, Germany
Phone +49 (0)551 30664-0, e-mail info@emlix.com
District Court of Göttingen, Registry Number HR B 3160
Managing Directors: Heike Jordan, Dr. Uwe Kracke
VAT ID No. DE 205 198 055
Office Berlin: Panoramastr. 1, 10178 Berlin, Germany
Office Bonn: Bachstr. 6, 53115 Bonn, Germany
http://www.emlix.com
emlix - your embedded Linux partner
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 313 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Was plain U-Boot affected by CVE-2023-39902?
2025-06-19 7:35 Was plain U-Boot affected by CVE-2023-39902? Rolf Eike Beer
@ 2025-06-23 15:13 ` Tom Rini
2025-06-23 15:26 ` Heinrich Schuchardt
2025-06-24 1:31 ` [EXT] " Ye Li
0 siblings, 2 replies; 4+ messages in thread
From: Tom Rini @ 2025-06-23 15:13 UTC (permalink / raw)
To: Rolf Eike Beer, Stefano Babic, Fabio Estevam,
NXP i.MX U-Boot Team, Peng Fan
Cc: u-boot
[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]
On Thu, Jun 19, 2025 at 09:35:25AM +0200, Rolf Eike Beer wrote:
> Hi all,
>
> for entirely unrelated reasons I came accross CVE-2023-39902:
>
> > A software vulnerability has been identified in the U-Boot Secondary Program
> > Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under
> > certain conditions, a crafted Flattened Image Tree (FIT) format structure
> > can be used to overwrite SPL memory, allowing unauthenticated software to
> > execute on the target, leading to privilege escalation.
>
> This links to https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196, which links 4
> patches. The relevant one seems to me https://github.com/nxp-imx/uboot-imx/
> commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited
> understanding the actual fix is the first hunk.
>
> A similar change has been made in 6039e0edc8540bd2a ("imx: hab: Simplify the
> mechanism"), so I wonder if this is just an unnoticed instance of the very
> same bug?
>
> Opinions?
Lets add the iMX folks..
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Was plain U-Boot affected by CVE-2023-39902?
2025-06-23 15:13 ` Tom Rini
@ 2025-06-23 15:26 ` Heinrich Schuchardt
2025-06-24 1:31 ` [EXT] " Ye Li
1 sibling, 0 replies; 4+ messages in thread
From: Heinrich Schuchardt @ 2025-06-23 15:26 UTC (permalink / raw)
To: Tom Rini
Cc: u-boot, Rolf Eike Beer, Stefano Babic, Fabio Estevam,
NXP i.MX U-Boot Team, Peng Fan
On 23.06.25 17:13, Tom Rini wrote:
> On Thu, Jun 19, 2025 at 09:35:25AM +0200, Rolf Eike Beer wrote:
>> Hi all,
>>
>> for entirely unrelated reasons I came accross CVE-2023-39902:
>>
>>> A software vulnerability has been identified in the U-Boot Secondary Program
>>> Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under
>>> certain conditions, a crafted Flattened Image Tree (FIT) format structure
>>> can be used to overwrite SPL memory, allowing unauthenticated software to
>>> execute on the target, leading to privilege escalation.
>>
>> This links to https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196, which links 4
>> patches. The relevant one seems to me https://github.com/nxp-imx/uboot-imx/
>> commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited
>> understanding the actual fix is the first hunk.
>>
>> A similar change has been made in 6039e0edc8540bd2a ("imx: hab: Simplify the
>> mechanism"), so I wonder if this is just an unnoticed instance of the very
>> same bug?
>>
>> Opinions?
>
> Lets add the iMX folks..
>
MA-21597 check spl fit pointer before parsing it
https://github.com/nxp-imx/uboot-imx/commit/6cb283bb4e19da6667abaedd83efc23a15fdc48d
could be improved:
The check should better be in fit_config_verify() to cover all usages.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [EXT] Re: Was plain U-Boot affected by CVE-2023-39902?
2025-06-23 15:13 ` Tom Rini
2025-06-23 15:26 ` Heinrich Schuchardt
@ 2025-06-24 1:31 ` Ye Li
1 sibling, 0 replies; 4+ messages in thread
From: Ye Li @ 2025-06-24 1:31 UTC (permalink / raw)
To: Tom Rini, Rolf Eike Beer, Stefano Babic, Fabio Estevam,
dl-uboot-imx, Peng Fan
Cc: u-boot@lists.denx.de
It is same bug also resolved by 6039e0edc8540bd2a ("imx: hab:Simplify the mechanism").
NXP Downstream uses different implementation with upstream.
Best regards,
Ye Li
> -----Original Message-----
> From: Tom Rini <trini@konsulko.com>
> Sent: Monday, June 23, 2025 11:14 PM
> To: Rolf Eike Beer <eb@emlix.com>; Stefano Babic <sbabic@nabladev.com>;
> Fabio Estevam <festevam@gmail.com>; dl-uboot-imx <uboot-imx@nxp.com>;
> Peng Fan <peng.fan@nxp.com>
> Cc: u-boot@lists.denx.de
> Subject: [EXT] Re: Was plain U-Boot affected by CVE-2023-39902?
>
> On Thu, Jun 19, 2025 at 09:35:25AM +0200, Rolf Eike Beer wrote:
> > Hi all,
> >
> > for entirely unrelated reasons I came accross CVE-2023-39902:
> >
> > > A software vulnerability has been identified in the U-Boot Secondary
> > > Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family
> > > processors. Under certain conditions, a crafted Flattened Image Tree
> > > (FIT) format structure can be used to overwrite SPL memory, allowing
> > > unauthenticated software to execute on the target, leading to privilege
> escalation.
> >
> > This links to
> > https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-
> Lo
> > ader-Authentication-Vulnerability-CVE/ta-p/1736196, which links 4
> > patches. The relevant one seems to me
> > https://github.com/nxp-imx/uboot-imx/
> > commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited
> > understanding the actual fix is the first hunk.
> >
> > A similar change has been made in 6039e0edc8540bd2a ("imx: hab:
> > Simplify the mechanism"), so I wonder if this is just an unnoticed
> > instance of the very same bug?
> >
> > Opinions?
>
> Lets add the iMX folks..
>
> --
> Tom
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-06-24 2:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-19 7:35 Was plain U-Boot affected by CVE-2023-39902? Rolf Eike Beer
2025-06-23 15:13 ` Tom Rini
2025-06-23 15:26 ` Heinrich Schuchardt
2025-06-24 1:31 ` [EXT] " Ye Li
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.