Full Report
Intro This post will try to do a small introduction to the QL language using real-world vulnerabilities that I found in the past, and it will end with a small challenge using QL. A few months ago, I heard of Semmle QL for the first time, what they do is perform multiple code analysis techniques against source code, and dump these results into a database. Then using the QL language, you can query this data to perform variant analysis.
Analysis Summary
# Vulnerability: Memory Corruption in Barebox Bootloader via Network Reads (CVE-2019-15937 & CVE-2019-15938)
## CVE Details
- CVE ID: CVE-2019-15937, CVE-2019-15938
- CVSS Score: Not specified in the provided text.
- CWE: Inferred to be related to Integer Overflow or Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-190 / CWE-122), based on reading `uint32` values from the network and using them as sizes in memory operations.
## Affected Systems
- Products: barebox bootloader
- Versions: Not explicitly listed, but vulnerabilities were found and subsequently fixed.
- Configurations: Vulnerable when loading elements (like file system components) from a network resource where attacker-controlled data dictates buffer sizes.
## Vulnerability Description
The vulnerabilities stem from reading **`uint32`** values directly from a network resource and subsequently using these untrusted values as the size parameter for in-memory operations (like network reads or memory copies/allocations) without proper validation. This pattern is dangerous because an attacker controlling the network data can supply an excessively large value, leading to a memory corruption issue when the system attempts to process that size.
## Exploitation
- Status: Assigned CVEs, implying that researcher discovery and reporting occurred. Exploitation status in the wild is not specified, but the nature suggests potential for remote compromise.
- Complexity: Likely **Medium** to **Low**, as it relies on finding the data read path from the network.
- Attack Vector: **Network** (since the data originates from network reads).
## Impact
- Confidentiality: Potential (High, depending on the memory corruption primitive)
- Integrity: Potential (High, leading to arbitrary code execution)
- Availability: Potential (High, leading to denial of service via crash)
## Remediation
### Patches
Two commit references are provided, indicating fixes were implemented quickly:
- Patch 1 (likely related to NFS.c): `https://git.pengutronix.de/cgit/barebox/commit/net/nfs.c?h=next&id=84986ca024462058574432b5483f4bf9136c538d`
- Patch 2 (likely related to fs/nfs.c): `https://git.pengutronix.de/cgit/barebox/commit/fs/nfs.c?h=next&id=574ce994016107ad8ab0f845a785f28d7eaa5208`
### Workarounds
No specific workarounds are detailed in the summary, but the general mitigation relates to avoiding operation on network-derived sizes until they are validated against maximum safe limits.
## Detection
- Indicators of Compromise: Not specified.
- Detection methods and tools: The researcher successfully used **Semmle QL** to perform variant analysis, starting from similar issues found in u-boot, to discover analogous flaws in barebox by searching for the usage of specific network reading functions (like those defined in `/include/net.h`) that handle size variables.
## References
- Vendor Advisory/Assignment: Mitre assigned CVE-2019-15937 and CVE-2019-15938.
- Relevant links - defanged:
- SensePost Article: `https://sensepost.com/the-power-of-variant-analysis-semmle-ql-cve-2019-15937-and-cve-2019-15938/`
- NVD Entry (CVE-2019-15937): `https://nvd.nist.gov/vuln/detail/CVE-2019-15937`
- NVD Entry (CVE-2019-15938): `https://nvd.nist.gov/vuln/detail/CVE-2019-15938`