CVE-2023-3725: Potential buffer overflow vulnerability in the Zephyr CANbus subsystem

Summary

I spotted a potential buffer overflow vulnerability at the following location in the Zephyr CANbus subsystem source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/canbus/isotp/isotp.c#L886

Details

Ineffective size check due to assert and potential stack-based buffer overflow in /subsys/canbus/isotp/isotp.c:

static inline int send_sf(struct isotp_send_ctx *ctx) { struct can_frame frame = { .flags = ctx->tx_addr.ide != 0 ? CAN_FRAME_IDE : 0, .id = ctx->tx_addr.ext_id }; size_t len = get_ctx_data_length(ctx); int index = 0; int ret; const uint8_t *data;

data \= get\_data\_ctx(ctx);
pull\_data\_ctx(ctx, len);

if (ctx\->tx\_addr.use\_ext\_addr) {
    frame.data\[index++\] \= ctx\->tx\_addr.ext\_addr;
}

frame.data\[index++\] \= ISOTP\_PCI\_TYPE\_SF | len;

\_\_ASSERT\_NO\_MSG(len <= ISOTP\_CAN\_DL \- index);
memcpy(&frame.data\[index\], data, len); /\* VULN \*/

#ifdef CONFIG_ISOTP_ENABLE_TX_PADDING /* AUTOSAR requirement SWS_CanTp_00348 */ memset(&frame.data[index + len], 0xCC, ISOTP_CAN_DL - len - index); frame.dlc = ISOTP_CAN_DL; #else frame.dlc = len + index; #endif

ctx\->state \= ISOTP\_TX\_SEND\_SF;
ret \= can\_send(ctx\->can\_dev, &frame, K\_MSEC(ISOTP\_A),
           send\_can\_tx\_cb, ctx);
return ret;

}

PoC

I haven’t tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

Impact

If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution.