Headline
CVE-2022-1041
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
Impact
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning, because there lacks a check for mismatched SegN and TotalLength in Transaction Start PDU.
In gen_prov_start, there lacks a check for mismatched SegN and TotalLength. For example, TotalLength 65 with SegN 62 in Transaction Start PDU is considered as valid (infact, if TotalLength is 65, SegN should be only 2). SegN 62 will be set into link.rx.last_seg.
By sending malformed Transaction Start PDU with legal TotalLength and oversize SegN, the check for SegO and SegN in Transaction Continue PDU can be bypassed.
In consequence, sending a Transaction Continue PDU with actually oversized (i.e., larger than 2, corresponding to the size of rx_buf) SegO will trigger out-of-bound write. That is, if SegO > 2, then 20 + (SegO - 1)×23 + 23 > 65,
where 20 + (SegO - 1)×23 is the offset.
Patches
This has been fixed in:
main: #45136
v3.0: #45188
v2.7: #45187
Credits
Han Yan(闫晗),Lewei Qu(曲乐炜),Dongxiang Ke(柯懂湘) of Baidu AIoT Security Team
For more information
If you have any questions or comments about this advisory:
- Open an issue in zephyr
- Email us at Zephyr-vulnerabilities
embargo: 2022-06-19