CVE-2019-11059

Vulnerability

Das U-Boot versions 2016.11-rc1 through 2019.04 mishandle the ext4 64-bit extension, leading to a buffer overflow [1]. The vulnerability resides in the ext4 filesystem driver code within the bootloader, specifically when processing ext4 file system images that utilize the 64-bit feature. The affected code path is reachable when U-Boot attempts to read or parse such ext4 partitions.

Exploitation

An attacker would need to provide a maliciously crafted ext4 filesystem image (e.g., on a storage device or over a network boot) to a target system running a vulnerable version of U-Boot. No authentication is required if the attacker can supply the boot image. The overflow occurs during parsing of the ext4 file system metadata, which may be triggered before any access controls are enforced.

Impact

Successful exploitation can cause a buffer overflow, potentially leading to memory corruption. This could allow the attacker to disrupt boot process execution, cause denial of service, or potentially achieve arbitrary code execution within the bootloader context. Since U-Boot operates before the operating system loads, this may compromise the entire boot chain.

Mitigation

A fix is available in the U-Boot source repository commit febbc583319b567fe3d83e521cc2ace9be8d1501 [1]. Users should update to a version containing this patch. No workaround is documented. The vulnerability is not listed on the CISA KEV as of the publication date.