Headline
CVE-2023-5184: Signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver
Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.
Summary
I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_imx.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_mcux.c
Details
Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_imx.c:
static int imx_mu_ipm_send(const struct device *dev, int wait, uint32_t id, const void *data, int size) { const struct imx_mu_config *config = dev->config; MU_Type *base = MU(config); uint32_t data32[IMX_IPM_DATA_REGS]; #if !IS_ENABLED(CONFIG_IPM_IMX_REV2) mu_status_t status; #endif int i;
if (id \> CONFIG\_IPM\_IMX\_MAX\_ID\_VAL) {
return \-EINVAL;
}
if (size \> CONFIG\_IPM\_IMX\_MAX\_DATA\_SIZE) { /\* VULN: ineffective check if size is negative \*/
return \-EMSGSIZE;
}
/\* Actual message is passing using 32 bits registers \*/
memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
…
Buffer overflow if size is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_mcux.c:
static int mcux_mailbox_ipm_send(const struct device *d, int wait, uint32_t id, const void *data, int size) { const struct mcux_mailbox_config *config = d->config; MAILBOX_Type *base = config->base; uint32_t data32[MCUX_IPM_DATA_REGS]; /* Until we change API * to uint32_t array */ unsigned int flags; int i;
ARG\_UNUSED(wait);
if (id \> MCUX\_IPM\_MAX\_ID\_VAL) {
return \-EINVAL;
}
if (size \> MCUX\_IPM\_DATA\_REGS \* sizeof(uint32\_t)) { /\* VULN: ineffective check if size is negative \*/
return \-EMSGSIZE;
}
flags \= irq\_lock();
/\* Actual message is passing using 32 bits registers \*/
memcpy(data32, data, size); /\* VULN: buffer overflow if size is negative \*/
…
PoC
I haven’t tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.
Related news
Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.