CVE-2023-4260: Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem

Summary

I spotted an off-by-one buffer overflow vulnerability at the following location in the Zephyr FS subsystem source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/fs/fuse_fs_access.c

Details

If the string passed to the following function via the path parameter is PATH_MAX chars long (including the NUL terminator), the insecure sprintf() function call marked below writes one NUL byte off the stack variable mount_path:

static int fuse_fs_access_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t off, struct fuse_file_info *fi) { struct fs_dir_t dir; struct fs_dirent entry; int err; struct stat stat;

ARG\_UNUSED(off);
ARG\_UNUSED(fi);

if (strcmp(path, "/") \== 0) {
    return fuse\_fs\_access\_readmount(buf, filler);
}

fs\_dir\_t\_init(&dir);

if (is\_mount\_point(path)) {
    /\* File system API expects trailing slash for a mount point
     \* directory but FUSE strips the trailing slashes from
     \* directory names so add it back.
     \*/
    char mount\_path\[PATH\_MAX\];

    sprintf(mount\_path, "%s/", path); /\* VULN \*/
    err \= fs\_opendir(&dir, mount\_path);
} else {
    err \= fs\_opendir(&dir, path);
}

…

PoC

I haven’t tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

Impact

If the unchecked input above is attacker-controlled and crosses a security boundary, depending on stack layout, the off-by-one buffer overflow vulnerability could be exploited to cause a denial of service or even achieve arbitrary code execution.