{"id":2220938,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2220938/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260407213231.19133-1-murtaza@saramena.us/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.1/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260407213231.19133-1-murtaza@saramena.us>","date":"2026-04-07T21:32:31","name":"net: nfs: fix buffer overflow in nfs_readlink_reply()","commit_ref":null,"pull_url":null,"state":"superseded","archived":false,"hash":"f445f966494c591d648c79d8ac53d67953a80d9a","submitter":{"id":93085,"url":"http://patchwork.ozlabs.org/api/1.1/people/93085/?format=json","name":"Murtaza","email":"murtaza@saramena.us"},"delegate":{"id":157425,"url":"http://patchwork.ozlabs.org/api/1.1/users/157425/?format=json","username":"jforissier","first_name":"Jerome","last_name":"Forissier","email":"jerome.forissier@linaro.org"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260407213231.19133-1-murtaza@saramena.us/mbox/","series":[{"id":499136,"url":"http://patchwork.ozlabs.org/api/1.1/series/499136/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=499136","date":"2026-04-07T21:32:31","name":"net: nfs: fix buffer overflow in nfs_readlink_reply()","version":1,"mbox":"http://patchwork.ozlabs.org/series/499136/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220938/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220938/checks/","tags":{},"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=fail (p=none dis=none) header.from=saramena.us","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n dmarc=fail (p=none dis=none) header.from=saramena.us","phobos.denx.de;\n spf=pass smtp.mailfrom=murtaza@saramena.us"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frNMn3Ckfz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 08 Apr 2026 22:55:33 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id AF0908404A;\n\tWed,  8 Apr 2026 14:55:30 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 1BBE7840AB; Tue,  7 Apr 2026 23:32:44 +0200 (CEST)","from saramena.us (saramena.us [71.19.144.74])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 11E6B8404A\n for <u-boot@lists.denx.de>; Tue,  7 Apr 2026 23:32:42 +0200 (CEST)","from localhost.localdomain (c-98-248-123-35.hsd1.ca.comcast.net\n [98.248.123.35])\n (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA512)\n (No client certificate requested)\n by saramena.us (Postfix) with ESMTPSA id DA54615AB37;\n Tue,  7 Apr 2026 21:32:39 +0000 (UTC)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.9 required=5.0 tests=BAYES_00,\n RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,\n RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","From":"Murtaza Munaim <murtaza@saramena.us>","To":"u-boot@lists.denx.de","Cc":"trini@konsulko.com, jerome.forissier@arm.com, andrew.goodbody@linaro.org,\n Murtaza Munaim <murtaza@saramena.us>","Subject":"[PATCH] net: nfs: fix buffer overflow in nfs_readlink_reply()","Date":"Tue,  7 Apr 2026 14:32:31 -0700","Message-ID":"<20260407213231.19133-1-murtaza@saramena.us>","X-Mailer":"git-send-email 2.50.1","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Approved-At":"Wed, 08 Apr 2026 14:55:29 +0200","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"nfs_readlink_reply() copies the symlink target from an NFS READLINK\nresponse into the global nfs_path_buff[2048] using a length (rlen)\nobtained from the RPC reply. The existing bounds check validates that\nrlen fits within the RPC packet, but does not check that the result\nfits in the destination buffer.\n\nWhen processing relative symlinks, the target is appended to the\nexisting path. By chaining two symlink resolutions, a malicious NFS\nserver can cause the combined path to exceed 2048 bytes, overflowing\nnfs_path_buff and corrupting adjacent global variables (nfs_path,\nnfs_filename, nfs_download_state, file handles). This can be\nexploited to achieve remote code execution during NFS boot.\n\nAdd bounds checks against sizeof(nfs_path_buff) before both the\nrelative (append) and absolute (replace) memcpy operations.\n\nSigned-off-by: Murtaza Munaim <murtaza@saramena.us>\n---\n net/nfs-common.c | 12 +++++++++++-\n 1 file changed, 11 insertions(+), 1 deletion(-)","diff":"diff --git a/net/nfs-common.c b/net/nfs-common.c\nindex 4fbde67a760..30f549f9e1b 100644\n--- a/net/nfs-common.c\n+++ b/net/nfs-common.c\n@@ -671,14 +671,24 @@ static int nfs_readlink_reply(uchar *pkt, unsigned int len)\n \n \tif (*((char *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset]) != '/') {\n \t\tint pathlen;\n+\t\tint new_len;\n \n \t\tstrcat(nfs_path, \"/\");\n \t\tpathlen = strlen(nfs_path);\n+\t\tnew_len = pathlen + rlen;\n+\t\tif (new_len >= sizeof(nfs_path_buff)) {\n+\t\t\tprintf(\"NFS: symlink too long (%d bytes)\\n\", new_len);\n+\t\t\treturn -NFS_RPC_ERR;\n+\t\t}\n \t\tmemcpy(nfs_path + pathlen,\n \t\t       (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],\n \t\t       rlen);\n-\t\tnfs_path[pathlen + rlen] = 0;\n+\t\tnfs_path[new_len] = 0;\n \t} else {\n+\t\tif (rlen >= sizeof(nfs_path_buff)) {\n+\t\t\tprintf(\"NFS: symlink too long (%d bytes)\\n\", rlen);\n+\t\t\treturn -NFS_RPC_ERR;\n+\t\t}\n \t\tmemcpy(nfs_path,\n \t\t       (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],\n \t\t       rlen);\n","prefixes":[]}