Preface: U-Boot is both a first-stage and second-stage bootloader. It is loaded by the system’s ROM (e.g. on-chip ROM of an ARM CPU) from a supported boot device, such as an SD card, SATA drive, NOR flash (e.g. using SPI or I²C), or NAND flash.

Background: Das U-Boot is an open source, primary boot loader used in embedded devices to package the instructions to boot the device’s operating system kernel. U-Boot uses commands similar to the BASH shell to manipulate environment variables. U-Boot supports TFTP (Trivial FTP), a stripped down FTP. So that user authentication is not required for downloading images into the board’s RAM

LK is the abbreviation of Little Kernel. LK is commonly used as bootloader in the Android system of Qualcomm platform. It is an open source project. LK is the boot part of the whole system, so it is not independent. However, LK currently only supports arm and x86 architectures. The notable feature of LK is that it implements a simple thread mechanism. And deeply customized and used with Qualcomm’s processors.

Vulnerability details: Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.

Remark: An integer overflow is a type of software vulnerability that occurs when a variable, such as an integer, exceeds its assigned memory space. This can result in unexpected behavior or security issues, such as allowing an attacker to execute arbitrary code.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-57258