AR# 72768

Design Advisory for Zynq UltraScale+ MPSoC/RFSoC - 2019.1 FSBL: Image Header Table (IHT) Buffer Overflow


The AcOffset variable is read in from the Image Header Table (IHT) before the IHT has been authenticated and is used to calculate the total size of the image header to read in

If the AcOffset is modified by an adversary, the adversary would have an opportunity to perform a classic buffer overflow attack by reading in more data than should be allowed. 

Note that the buffer ImageHdr which is used to store the image header read from external memory is stored in the upper portion of OCM memory and lies within address 0xFFFF_0000. 

The FSBL cannot be overwritten as the FSBL code resides in the lower portion of OCM memory, but an adversary only needs to overwrite a minimum of 65,535 bytes of data before malicious code can be loaded.

For more information on how to sign up to receive notifications of new Design Advisories, see (Xilinx Answer 18683).


This vulnerability impacts the 2019.1 (and older) FSBL. A patch for the 2019.1 FSBL is linked to this Answer Record.

This issue has been fixed in the 2019.2 version, where the FSBL checks the size before copying and returns an error in case of size overflow.


Associated Attachments

Name File Size File Type 210 KB ZIP
AR# 72768
Date 11/08/2019
Status Active
Type Design Advisory