UPGRADE YOUR BROWSER

We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

AR# 72768

Design Advisory for Zynq UltraScale+ MPSoC/RFSoC - 2019.1 FSBL: Image Header Table (IHT) Buffer Overflow

描述

The AcOffset variable is read in from the Image Header Table (IHT) before the IHT has been authenticated and is used to calculate the total size of the image header to read in

If the AcOffset is modified by an adversary, the adversary would have an opportunity to perform a classic buffer overflow attack by reading in more data than should be allowed. 

Note that the buffer ImageHdr which is used to store the image header read from external memory is stored in the upper portion of OCM memory and lies within address 0xFFFF_0000. 

The FSBL cannot be overwritten as the FSBL code resides in the lower portion of OCM memory, but an adversary only needs to overwrite a minimum of 65,535 bytes of data before malicious code can be loaded.


For more information on how to sign up to receive notifications of new Design Advisories, see (Xilinx Answer 18683).

解决方案

This vulnerability impacts the 2019.1 (and older) FSBL. A patch for the 2019.1 FSBL is linked to this Answer Record.

This issue has been fixed in the 2019.2 version, where the FSBL checks the size before copying and returns an error in case of size overflow.

附件

文件名 文件大小 File Type
AR72768_sdk_2019_1_preliminary_rev1.zip 210 KB ZIP
AR# 72768
日期 11/08/2019
状态 Active
Type 设计咨询
器件
Tools
的页面