Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-5184: Signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver

Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.

CVE
Open in Source
#vulnerability#dos#git#buffer_overflow

Summary

I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_imx.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_mcux.c

Details

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_imx.c:

static int imx_mu_ipm_send(const struct device *dev, int wait, uint32_t id, const void *data, int size) { const struct imx_mu_config *config = dev->config; MU_Type *base = MU(config); uint32_t data32[IMX_IPM_DATA_REGS]; #if !IS_ENABLED(CONFIG_IPM_IMX_REV2) mu_status_t status; #endif int i;

if (id \> CONFIG\_IPM\_IMX\_MAX\_ID\_VAL) {
    return \-EINVAL;
}

if (size \> CONFIG\_IPM\_IMX\_MAX\_DATA\_SIZE) { /\* VULN: ineffective check if size is negative \*/
    return \-EMSGSIZE;
}

/\* Actual message is passing using 32 bits registers \*/
memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/

Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_mcux.c:

static int mcux_mailbox_ipm_send(const struct device *d, int wait, uint32_t id, const void *data, int size) { const struct mcux_mailbox_config *config = d->config; MAILBOX_Type *base = config->base; uint32_t data32[MCUX_IPM_DATA_REGS]; /* Until we change API * to uint32_t array */ unsigned int flags; int i;

ARG\_UNUSED(wait);

if (id \> MCUX\_IPM\_MAX\_ID\_VAL) {
    return \-EINVAL;
}

if (size \> MCUX\_IPM\_DATA\_REGS \* sizeof(uint32\_t)) { /\* VULN: ineffective check if size is negative \*/
    return \-EMSGSIZE;
}

flags \= irq\_lock();

/\* Actual message is passing using 32 bits registers \*/
memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/

PoC

I haven’t tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

Impact

If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

Related news

Zephyr RTOS 3.x.0 Buffer Overflows

Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE