On Fri, Feb 27, 2026 at 09:28:44PM +0000, Lee, Sin Liang wrote: > Thank you for the quick response. We will follow the submission guidelines > for our fixes and attribution. > In the meantime, would you be able to confirm the reported vulnerabilities on > your side? That would help us make sure we are aligned on impact and scope as > we finalize the fixes.
I'm adding our networking custodian to the thread, for when he has time to take a look. > Regards, > Sin Liang > > > ________________________________ > From: Tom Rini > Sent: Friday, February 27, 2026 1:42 PM > To: Lee, Sin Liang > Cc: [email protected]; Kim, Taesoo; Zhang, Cen; [email protected]; [email protected] > Subject: Re: Security Disclosure: Multiple buffer overflow vulnerabilities in > NFS client > > On Fri, Feb 27, 2026 at 06:25:14PM +0000, Lee, Sin Liang wrote: > > > Dear U-Boot Maintainers, > > > > I'm Sin Liang Lee, a member of Team > > Atlanta<https://team-atlanta.github.io/> from Georgia Institute of > > Technology, winners of DARPA's AI Cyber Challenge > > (AIxCC)<https://aicyberchallenge.com/>. We're reaching out to submit a > > vulnerability report that we identified using our system, ATLANTIS, in your > > project. This effort is part of DARPA's initiative to apply competition > > technologies to real-world open source projects. > > > > We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic > > vulnerability detection and repair. Using a combination of targeted fuzzing > > (via OSS-Fuzz infrastructure) and AI-assisted static analysis, we > > identified four buffer overflow vulnerabilities in the U-Boot NFS client > > reply parsers (net/nfs-common.c). These affect the current upstream > > codebase and include a signedness bypass of the mitigation introduced for > > CVE-2019-14193. > > Ah, so that explains the squashfs report last week. I am glad to see > that part of the challenge now is fixing and not just reporting the > issues. Please see > https://docs.u-boot.org/en/latest/develop/sending_patches.html for how > to correctly submit patches to the project. And while we do not > currently have formal guidelines around AI-assisted contributions, > please see: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-assistants.rst > for how the Linux Kernel expects things to be attributed and note that > we also are requesting that the commit message be human and not > AI-written/assisted. Thanks! > > -- > Tom -- Tom
signature.asc
Description: PGP signature
