When booting a Zynq-7000 SoC device from NAND flash memory, the NAND driver in the BootROM and FSBL (2020.3 and prior) does not validate the inputs when reading in the NAND’s Parameter Page.
If the spare bytes field read in from the Parameter Page contains a malicious, illegal value, this causes a buffer overflow that could lead to arbitrary code execution.
For this attack to be successful, physical access and modification of the board assembly on which the Zynq-7000 SoC device is mounted is needed to replace the original NAND flash memory with a NAND flash emulation device.
Figure 1 is a high-level summary that can be used to determine whether an existing system is impacted.
For more information on how to sign up to receive notifications of new Design Advisories, see (Xilinx Answer 18683).
If physical access to the Zynq-7000 is possible, ensure that the tamper boundary extends to not only the Zynq-7000 SoC but also to the NAND interface.
Additional protections include: