Headline
CVE-2023-4262: Buffer overflow vulnerabilities in the Zephyr Mgmt subsystem
Possible buffer overflow in Zephyr mgmt subsystem when asserts are disabled
Summary
I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp_cp.c
Details
Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:
void *smp_alloc_rsp(const void *req, void *arg) { const struct net_buf *req_nb; struct net_buf *rsp_nb; struct smp_transport *smpt = arg;
req\_nb \= req;
rsp\_nb \= smp\_packet\_alloc();
if (rsp\_nb \== NULL) {
return NULL;
}
if (smpt\->functions.ud\_copy) {
smpt\->functions.ud\_copy(rsp\_nb, req\_nb);
} else {
memcpy(net\_buf\_user\_data(rsp\_nb),
net\_buf\_user\_data((void \*)req\_nb),
req\_nb\->user\_data\_size); /\* VULN \*/
}
return rsp\_nb;
}
Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp_cp.c:
static int cp_build_command(struct osdp_pd *pd, uint8_t *buf, int max_len) { struct osdp_cmd *cmd = NULL; int len = 0; int data_off = osdp_phy_packet_get_data_offset(pd, buf); #ifdef CONFIG_OSDP_SC_ENABLED uint8_t *smb = osdp_phy_packet_get_smb(pd, buf); #endif
buf += data\_off;
max\_len \-= data\_off;
if (max\_len <= 0) {
return OSDP\_CP\_ERR\_GENERIC;
}
switch (pd\->cmd\_id) {
… case CMD_TEXT: cmd = (struct osdp_cmd *)pd->ephemeral_data; assert_buf_len(CMD_TEXT_LEN + cmd->text.length, max_len); /* VULN: assert */ buf[len++] = pd->cmd_id; buf[len++] = cmd->text.reader; buf[len++] = cmd->text.control_code; buf[len++] = cmd->text.temp_time; buf[len++] = cmd->text.offset_row; buf[len++] = cmd->text.offset_col; buf[len++] = cmd->text.length; memcpy(buf + len, cmd->text.data, cmd->text.length); /* VULN: buffer overflow */ len += cmd->text.length; break;
Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp_pd.c:
static int pd_build_reply(struct osdp_pd *pd, uint8_t *buf, int max_len) { int ret = OSDP_PD_ERR_GENERIC; int i, len = 0; struct osdp_cmd *cmd; struct osdp_event *event; int data_off = osdp_phy_packet_get_data_offset(pd, buf); #ifdef CONFIG_OSDP_SC_ENABLED uint8_t *smb = osdp_phy_packet_get_smb(pd, buf); #endif buf += data_off; max_len -= data_off;
switch (pd\->reply\_id) {
… case REPLY_KEYPPAD: event = (struct osdp_event *)pd->ephemeral_data; assert_buf_len(REPLY_KEYPAD_LEN + event->keypress.length, max_len); /* VULN: assert */ buf[len++] = pd->reply_id; buf[len++] = (uint8_t)event->keypress.reader_no; buf[len++] = (uint8_t)event->keypress.length; memcpy(buf + len, event->keypress.data, event->keypress.length); /* VULN: buffer overflow */ len += event->keypress.length; ret = OSDP_PD_ERR_NONE; break; case REPLY_RAW: { int len_bytes;
event \= (struct osdp\_event \*)pd\->ephemeral\_data;
len\_bytes \= (event\->cardread.length + 7) / 8;
assert\_buf\_len(REPLY\_RAW\_LEN + len\_bytes, max\_len); /\* VULN: assert \*/
buf\[len++\] \= pd\->reply\_id;
buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
buf\[len++\] \= (uint8\_t)event\->cardread.format;
buf\[len++\] \= BYTE\_0(event\->cardread.length);
buf\[len++\] \= BYTE\_1(event\->cardread.length);
memcpy(buf + len, event\->cardread.data, len\_bytes); /\* VULN: buffer overflow \*/
len += len\_bytes;
ret \= OSDP\_PD\_ERR\_NONE;
break;
}
case REPLY\_FMT:
event \= (struct osdp\_event \*)pd\->ephemeral\_data;
assert\_buf\_len(REPLY\_FMT\_LEN + event\->cardread.length, max\_len); /\* VULN: assert \*/
buf\[len++\] \= pd\->reply\_id;
buf\[len++\] \= (uint8\_t)event\->cardread.reader\_no;
buf\[len++\] \= (uint8\_t)event\->cardread.direction;
buf\[len++\] \= (uint8\_t)event\->cardread.length;
memcpy(buf + len, event\->cardread.data, event\->cardread.length); /\* VULN: buffer overflow \*/
len += event\->cardread.length;
ret \= OSDP\_PD\_ERR\_NONE;
break;
…
PoC
I haven’t tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.
Related news
Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.