RIOT 2024.01 Buffer Overflows / Lack Of Size Checks / Out-Of-Bound Access

2024.05.09
Credit: Marco Ivaldi
Risk: High
Local: No
Remote: Yes
CWE: CWE-119

--[ HNS-2024-07 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in RIOT OS * OS: RIOT <= 2024.01 * Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it> * Date: 2024-05-07 * CVE ID and severity: * CVE-2024-31225 - High * CVE-2024-32017 - Critical * CVE-2024-32018 - High (low-severity vulnerabilities were not assigned a CVE ID) * Vendor URL: https://www.riot-os.org/ * Advisory URLs: * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965 * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v97j-w9m6-c4h3 * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-899m-q6pp-hmp3 * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-x3j5-hfrr-5x6q * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-pw2r-pp35-xfmj * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c4p4-vv7v-3hx8 * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-r87w-9vw9-f7cx * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2hx7-c324-3rxv * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-frp5-4gfp-84j3 * https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-x27v-gqp4-7jq3 --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 3.1 - CVE-2024-31225 - Lack of size check and buffer overflow in RIOT /sys/net/application_layer/cord/lc/cord_lc.c 3.2 - CVE-2024-32017 - Buffer overflows in RIOT /sys/net/application_layer/gcoap/ 3.3 - CVE-2024-32018 - Ineffective size check due to assert() and buffer overflow in RIOT /pkg/nimble/scanlist/nimble_scanlist.c 3.4 - Unsafe use of the return value of vsnprintf() and out-of-bounds memory access in RIOT /cpu/esp_common/lib_printf.c 3.5 - Ineffective size check due to assert() and buffer overflow in RIOT /sys/net/ble/skald/skald_eddystone.c 3.6 - Ineffective size check due to assert() and buffer overflow in RIOT /sys/suit/handlers_command_seq.c 3.7 - Integer wraparound and buffer overflow in RIOT /drivers/mtd_emulated/mtd_emulated.c 3.8 - Off-by-one buffer overflow and unterminated string in RIOT /pkg/lwext4/fs/lwext4_fs.c 3.9 - Unsafe use of the return value of snprintf() and out-of-bounds memory access in RIOT /sys/shell/cmds/vfs.c 3.10 - Lack of size checks and buffer overflows in RIOT /sys/net/application_layer/emcute/emcute.c 4 - Affected products 5 - Remediation 6 - Disclosure timeline 7 - Acknowledgments 8 - References --[ 1 - Summary "Where there is parsing, there are bugs." -- Dr. Silvio Cesare RIOT [1] is a free, open-source, real-time operating system developed by a grassroots community gathering companies, academia, and hobbyists, distributed all around the world. It supports most low-power IoT devices, microcontroller architectures (32-bit, 16-bit, 8-bit), and external devices. RIOT aims to implement all relevant open standards supporting an Internet of Things that is connected, secure, durable, and privacy friendly. We reviewed RIOT's source code hosted on GitHub [2] and identified multiple security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution. --[ 2 - Background Continuing our recent vulnerability research work in the IoT space [3] [4], we keep assisting open-source projects in finding and fixing vulnerabilities by reviewing their source code, with the final goal to make IoT more secure. In January 2024, RIOT was selected as a target of interest. During the source code review, we put our Semgrep C/C++ ruleset [5] and weggli pattern collection [6] to good use to identify hotspots in code on which to focus our attention. --[ 3 - Vulnerabilities The vulnerabilities resulting from our source code review are briefly described in the following sections. --[ 3.1 - CVE-2024-31225 - Lack of size check and buffer overflow in RIOT /sys/net/application_layer/cord/lc/cord_lc.c We spotted the lack of a size check that may lead to a buffer overflow in RIOT source code at: * /sys/net/application_layer/cord/lc/cord_lc.c The `_on_rd_init()` function does not implement a size check before copying data to the `_result_buf` static buffer. If an attacker can craft a long enough payload, they could cause a buffer overflow. See the marked line below: ```c static void _on_rd_init(const gcoap_request_memo_t *memo, coap_pkt_t *pdu, const sock_udp_ep_t *remote) { (void)remote; thread_flags_t flag = FLAG_NORSC; if (memo->state == GCOAP_MEMO_RESP) { unsigned ct = coap_get_content_type(pdu); if (ct != COAP_FORMAT_LINK) { DEBUG("cord_lc: error payload not in link format: %u\n", ct); goto end; } if (pdu->payload_len == 0) { DEBUG("cord_lc: error empty payload\n"); goto end; } memcpy(_result_buf, pdu->payload, pdu->payload_len); // VULN: lack of size check and potential buffer overflow _result_buf_len = pdu->payload_len; _result_buf[_result_buf_len] = '\0'; flag = FLAG_SUCCESS; } else if (memo->state == GCOAP_MEMO_TIMEOUT) { flag = FLAG_TIMEOUT; } end: if (flag != FLAG_SUCCESS) { _result_buf = NULL; _result_buf_len = 0; } thread_flags_set(_waiter, flag); } ``` Note that the `_on_lookup()` function in the same file does implement such an explicit size check: ```c static void _on_lookup(const gcoap_request_memo_t *memo, coap_pkt_t *pdu, const sock_udp_ep_t *remote) { (void)remote; thread_flags_t flag = FLAG_ERR; if (memo->state == GCOAP_MEMO_RESP) { unsigned ct = coap_get_content_type(pdu); if (ct != COAP_FORMAT_LINK) { DEBUG("cord_lc: unsupported content format: %u\n", ct); thread_flags_set(_waiter, flag); } if (pdu->payload_len == 0) { flag = FLAG_NORSC; thread_flags_set(_waiter, flag); } if (pdu->payload_len >= _result_buf_len) { // CHECK flag = FLAG_OVERFLOW; thread_flags_set(_waiter, flag); } memcpy(_result_buf, pdu->payload, pdu->payload_len); memset(_result_buf + pdu->payload_len, 0, _result_buf_len - pdu->payload_len); _result_buf_len = pdu->payload_len; flag = FLAG_SUCCESS; } else if (memo->state == GCOAP_MEMO_TIMEOUT) { flag = FLAG_TIMEOUT; } thread_flags_set(_waiter, flag); } ``` If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20547 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965 --[ 3.2 - CVE-2024-32017 - Buffer overflows in RIOT /sys/net/application_layer/gcoap/ We spotted a typo in a size check that may lead to a buffer overflow in RIOT source code at: * /sys/net/application_layer/gcoap/dns.c We also spotted another potential buffer overflow in RIOT source code at: * /sys/net/application_layer/gcoap/forward_proxy.c The size check in the `gcoap_dns_server_proxy_get()` function contains a small typo that may lead to a buffer overflow in the subsequent `strcpy()`. The length of the `_uri` string is checked instead of the length of the `_proxy` string. See the marked lines below: ```c ssize_t gcoap_dns_server_proxy_get(char *proxy, size_t proxy_len) { ssize_t res = 0; mutex_lock(&_client_mutex); if (_dns_server_uri_isset()) { res = strlen(_uri); // VULN: typo, should be strlen(_proxy) if (((size_t)res + 1) > proxy_len) { /* account for trailing \0 */ res = -ENOBUFS; } else { strcpy(proxy, _proxy); // VULN: potential buffer overflow } } mutex_unlock(&_client_mutex); return res; } ``` The `_gcoap_forward_proxy_copy_options()` function does not implement an explicit size check before copying data to the `cep->req_etag` buffer that is `COAP_ETAG_LENGTH_MAX` bytes long. If an attacker can craft input so that optlen becomes larger than `COAP_ETAG_LENGTH_MAX`, they can cause a buffer overflow. See the marked line below: ```c static int _gcoap_forward_proxy_copy_options(coap_pkt_t *pkt, coap_pkt_t *client_pkt, client_ep_t *cep, uri_parser_result_t *urip) { /* copy all options from client_pkt to pkt */ coap_optpos_t opt = {0, 0}; uint8_t *value; bool uri_path_added = false; bool etag_added = false; for (int i = 0; i < client_pkt->options_len; i++) { ssize_t optlen = coap_opt_get_next(client_pkt, &opt, &value, !i); /* wrt to ETag option slack: we always have at least the Proxy-URI option in the client_pkt, * so we should hit at least once (and it's opt_num is also >= COAP_OPT_ETAG) */ if (optlen >= 0) { if (IS_USED(MODULE_NANOCOAP_CACHE) && !etag_added && (opt.opt_num >= COAP_OPT_ETAG)) { static const uint8_t tmp[COAP_ETAG_LENGTH_MAX] = { 0 }; /* add slack to maybe add an ETag on stale cache hit later, as is done in * gcoap_req_send() (which we circumvented in _gcoap_forward_proxy_via_coap()) */ if (coap_opt_add_opaque(pkt, COAP_OPT_ETAG, tmp, sizeof(tmp))) { etag_added = true; } } if (IS_USED(MODULE_NANOCOAP_CACHE) && opt.opt_num == COAP_OPT_ETAG) { if (_cep_get_req_etag_len(cep) == 0) { /* TODO: what to do on multiple ETags? */ _cep_set_req_etag_len(cep, (uint8_t)optlen); #if IS_USED(MODULE_NANOCOAP_CACHE) /* req_tag in cep is pre-processor guarded so we need to as well */ memcpy(cep->req_etag, value, optlen); // VULN: potential buffer overflow if optlen can become larger than COAP_ETAG_LENGTH_MAX #endif ... ``` If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20561 https://github.com/RIOT-OS/RIOT/pull/20579 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v97j-w9m6-c4h3 --[ 3.3 - CVE-2024-32018 - Ineffective size check due to assert() and buffer overflow in RIOT /pkg/nimble/scanlist/nimble_scanlist.c We spotted an ineffective size check implemented via `assert()` that may lead to a buffer overflow in RIOT source code at: * /pkg/nimble/scanlist/nimble_scanlist.c Most codebases define assertion macros which compile to a no-op on non-debug builds. If assertions are the only line of defense against untrusted input, the software may be exposed to attacks that leverage the lack of proper input checks. In detail, in the `nimble_scanlist_update()` function below, `len` is checked in an assertion and subsequently used in a call to `memcpy()`. If an attacker is able to provide a larger `len` value while assertions are compiled-out, they can write past the end of the fixed-length `e->ad` buffer. See the marked lines below: ```c /** * @brief Data structure for holding a single scanlist entry */ typedef struct { clist_node_t node; /**< list node */ ble_addr_t addr; /**< a node's BLE address */ uint8_t ad[BLE_ADV_PDU_LEN]; /**< the received raw advertising data */ uint8_t ad_len; /**< length of the advertising data */ int8_t last_rssi; /**< last RSSI of a scanned node */ uint32_t adv_msg_cnt; /**< number of adv packets by a node */ uint32_t first_update; /**< first packet timestamp */ uint32_t last_update; /**< last packet timestamp */ uint8_t type; /**< advertising packet type */ uint8_t phy_pri; /**< primary PHY used */ uint8_t phy_sec; /**< secondary PHY advertised */ } nimble_scanlist_entry_t; ... void nimble_scanlist_update(uint8_t type, const ble_addr_t *addr, const nimble_scanner_info_t *info, const uint8_t *ad, size_t len) { assert(addr); assert(len <= BLE_ADV_PDU_LEN); // VULN: len is checked to be <= BLE_ADV_PDU_LEN only via an assertion uint32_t now = (uint32_t)ztimer_now(ZTIMER_USEC); nimble_scanlist_entry_t *e = _find(addr); if (!e) { e = (nimble_scanlist_entry_t *)clist_lpop(&_pool); if (!e) { /* no space available, dropping newly discovered node */ return; } memcpy(&e->addr, addr, sizeof(ble_addr_t)); if (ad) { memcpy(e->ad, ad, len); // VULN: if len is actually larger than BLE_ADV_PDU_LEN there's a potential buffer overflow } e->ad_len = len; e->last_rssi = info->rssi; e->first_update = now; e->adv_msg_cnt = 1; e->type = type; e->phy_pri = info->phy_pri; e->phy_sec = info->phy_sec; clist_rpush(&_list, (clist_node_t *)e); } else { e->adv_msg_cnt++; } e->last_update = now; } ``` If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20555 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-899m-q6pp-hmp3 --[ 3.4 - Unsafe use of the return value of vsnprintf() and out-of-bounds memory access in RIOT /cpu/esp_common/lib_printf.c We spotted an unsafe use of the return value of `vsnprintf()` that leads to an out-of-bounds memory access in RIOT source code at: * /cpu/esp_common/lib_printf.c The `vsnprintf()` API function returns the number of characters (excluding the terminating NUL byte) which would have been written to the destination string if enough space had been available. If an attacker is able to craft input so that the final string would become larger than `PRINTF_BUFSIZ`, they can exploit this bug to overwrite a '\n', '\r' or ' ' byte (or a sequence of such bytes) with a NUL byte in memory past the end of the `_printf_buf` static buffer. In addition, the tainted `len` value is returned at the end of the `_lib_printf()` function and may be used unsafely (e.g., as an array index) elsewhere in the code. See the marked lines below: ```c static char _printf_buf[PRINTF_BUFSIZ]; static int _lib_printf(int level, const char* tag, const char* format, va_list arg) { if (level > LOG_LEVEL) { return 0; } int len = vsnprintf(_printf_buf, PRINTF_BUFSIZ - 1, format, arg); // VULN: vsnprintf() returns the total length of the string it tried to create, which may be larger than the actual size of the destination string /* * Since ESP_EARLY_LOG macros add a line break at the end, a terminating * line break in the output must be removed if there is one. */ _printf_buf[PRINTF_BUFSIZ - 1] = 0; int i; for (i = len - 1; i >= 0; --i) { if (_printf_buf[i] != '\n' && _printf_buf[i] != '\r' && _printf_buf[i] != ' ') { break; } _printf_buf[i] = 0; // VULN: very limited oob array write access } if (i > 0) { ESP_EARLY_LOGI(tag, "%s", _printf_buf); } va_end(arg); return len; // VULN: tainted len value is returned } ``` In our understanding, the impact of this vulnerability in this specific case is quite limited. However, all bugs that have the potential to cause memory corruption should be taken seriously and fixed as security bugs. Fixes: https://github.com/RIOT-OS/RIOT/pull/20596 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-x3j5-hfrr-5x6q --[ 3.5 - Ineffective size check due to assert() and buffer overflow in RIOT /sys/net/ble/skald/skald_eddystone.c We spotted an ineffective size check implemented via `assert()` that may lead to a buffer overflow in RIOT source code at: * /sys/net/ble/skald/skald_eddystone.c Most codebases define assertion macros which compile to a no-op on non-debug builds. If assertions are the only line of defense against untrusted input, the software may be exposed to attacks that leverage the lack of proper input checks. In detail, in the `skald_eddystone_url_adv()` function below, `len` is checked in an assertion and subsequently used in a call to `memcpy()`. If an attacker is able to provide a large `url` while assertions are compiled-out, they can write past the end of the `pdu->url` buffer. See the marked lines below: ```c void skald_eddystone_url_adv(skald_ctx_t *ctx, uint8_t scheme, const char *url, uint8_t tx_pwr, uint32_t adv_itvl_ms) { assert(url && ctx); size_t len = strlen(url); assert(len <= (NETDEV_BLE_PDU_MAXLEN - (URL_HDR_LEN + PREAMBLE_LEN))); // VULN: len is checked only via an assertion eddy_url_t *pdu = (eddy_url_t *)ctx->pkt.pdu; _init_pre(&pdu->pre, EDDYSTONE_URL, (URL_HDR_LEN + len)); /* set remaining service data fields */ pdu->tx_pwr = tx_pwr; pdu->scheme = scheme; memcpy(pdu->url, url, len); // VULN: if len is actually larger than expected there's a potential buffer overflow /* start advertising */ ctx->pkt.len = (sizeof(pre_t) + 2 + len); ctx->adv_itvl_ms = adv_itvl_ms; skald_adv_start(ctx); } ``` If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20577 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-pw2r-pp35-xfmj --[ 3.6 - Ineffective size check due to assert() and buffer overflow in RIOT /sys/suit/handlers_command_seq.c We spotted an ineffective size check implemented via `assert()` that may lead to a buffer overflow in RIOT source code at: * /sys/suit/handlers_command_seq.c Most codebases define assertion macros which compile to a no-op on non-debug builds. If assertions are the only line of defense against untrusted input, the software may be exposed to attacks that leverage the lack of proper input checks. In detail, in the `_dtv_fetch()` function below, `url_len` is checked in an assertion and subsequently used in a call to `memcpy()`. If an attacker is able to provide a large `url` while assertions are compiled-out, they can write past the end of the `manifest->urlbuf` buffer. See the marked lines below: ```c static int _dtv_fetch(suit_manifest_t *manifest, int key, nanocbor_value_t *_it) { (void)key; (void)_it; LOG_DEBUG("_dtv_fetch() key=%i\n", key); const uint8_t *url; size_t url_len; /* Check the policy before fetching anything */ int res = suit_policy_check(manifest); if (res) { return SUIT_ERR_POLICY_FORBIDDEN; } suit_component_t *comp = _get_component(manifest); /* Deny the fetch if the component was already fetched before */ if (suit_component_check_flag(comp, SUIT_COMPONENT_STATE_FETCHED)) { LOG_ERROR("Component already fetched before\n"); return SUIT_ERR_INVALID_MANIFEST; } nanocbor_value_t param_uri; suit_param_ref_to_cbor(manifest, &comp->param_uri, &param_uri); int err = nanocbor_get_tstr(&param_uri, &url, &url_len); if (err < 0) { LOG_DEBUG("URL parsing failed\n)"); return err; } assert(manifest->urlbuf && url_len < manifest->urlbuf_len); // VULN: url_len is checked only via an assertion memcpy(manifest->urlbuf, url, url_len); // VULN: if url_len is actually larger than expected there's a potential buffer overflow manifest->urlbuf[url_len] = '\0'; ... ``` If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20559 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c4p4-vv7v-3hx8 --[ 3.7 - Integer wraparound and buffer overflow in RIOT /drivers/mtd_emulated/mtd_emulated.c We spotted an integer wraparound in a size check that leads to a buffer overflow in RIOT source code at: * /drivers/mtd_emulated/mtd_emulated.c If an attacker is able to provide arbitrary values for the `num` and `sector` arguments to the `_erase_sector()` function, they can cause an integer wraparound to bypass the size check and cause a buffer overflow. See the marked lines below: ```c static int _erase_sector(mtd_dev_t *dev, uint32_t sector, uint32_t num) { mtd_emulated_t *mtd = (mtd_emulated_t *)dev; (void)mtd; assert(mtd); if (/* sector must not exceed the number of sectors */ (sector >= mtd->base.sector_count) || /* sector + num must not exceed the number of sectors */ ((sector + num) > mtd->base.sector_count)) { // VULN: integer wraparound in size check return -EOVERFLOW; } memset(mtd->memory + (sector * (mtd->base.pages_per_sector * mtd->base.page_size)), 0xff, num * (mtd->base.pages_per_sector * mtd->base.page_size)); // VULN: buffer overflow return 0; } ``` We put together a quick proof-of-concept to demonstrate this issue: ``` raptor@blumenkraft Research % cat wraparound5.c #include <stdio.h> #include <stdlib.h> #include <inttypes.h> #define SECTOR_COUNT 256 static int _erase_sector(uint32_t sector, uint32_t num) { if (/* sector must not exceed the number of sectors */ (sector >= SECTOR_COUNT) || /* sector + num must not exceed the number of sectors */ ((sector + num) > SECTOR_COUNT)) { // VULN: wraparound printf("OVERFLOW\n"); return 1; } printf("sector + num = %"PRIu32"\n", sector + num); return 0; } int main(int argc, char **argv) { if (argc < 3) return 1; return _erase_sector(atoi(argv[1]), atoi(argv[2])); } raptor@blumenkraft Research % make wraparound5 cc wraparound5.c -o wraparound5 raptor@blumenkraft Research % ./wraparound5 250 10 OVERFLOW raptor@blumenkraft Research % ./wraparound5 250 4294967295 sector + num = 249 ``` If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to (less likely in this case) arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20587 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-r87w-9vw9-f7cx --[ 3.8 - Off-by-one buffer overflow and unterminated string in RIOT /pkg/lwext4/fs/lwext4_fs.c We spotted an off-by-one buffer overflow in RIOT source code at: * /pkg/lwext4/fs/lwext4_fs.c We also spotted the lack of explicit NUL-termination after strncpy() in the same file. If an attacker is able to make `mount_point` at least `CONFIG_EXT4_MAX_MP_NAME` bytes large, `strcat()` would write a NUL byte past the end of the `mp.name` buffer, thus potentially overwriting the next member of the `ext4_mountpoint` struct [7]. See the marked line below: ```c static int prepare(lwext4_desc_t *fs, const char *mount_point) { mtd_dev_t *dev = fs->dev; struct ext4_blockdev_iface *iface = &fs->iface; memset(&fs->mp, 0, sizeof(fs->mp)); memset(&fs->bdev, 0, sizeof(fs->bdev)); memset(&fs->iface, 0, sizeof(fs->iface)); strncpy(fs->mp.name, mount_point, CONFIG_EXT4_MAX_MP_NAME); strcat(fs->mp.name, "/"); // VULN: off-by-one buffer overflow int res = mtd_init(dev); if (res) { return res; } ... ``` Since `sizeof(dirent->name)` is 255 and `sizeof(entry->d_name)` is only 32, if an attacker can control the input to `strncpy()` they would be able to create a non NUL-terminated string in `entry->d_name`. When such corrupted string is used in other parts of the code, it may cause information leakage or memory corruption. See the marked line below: ```c static int _readdir(vfs_DIR *dirp, vfs_dirent_t *entry) { ext4_dir *dir = _get_ext4_dir(dirp); const ext4_direntry *dirent = ext4_dir_entry_next(dir); if (dirent == NULL) { return 0; } strncpy(entry->d_name, (char *)dirent->name, sizeof(entry->d_name)); // VULN return 1; } ``` In our understanding, the impact of these vulnerabilities in this specific case is quite limited. However, all bugs that have the potential to cause memory corruption should be taken seriously and fixed as security bugs. Fixes: https://github.com/RIOT-OS/RIOT/pull/20586 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2hx7-c324-3rxv --[ 3.9 - Unsafe use of the return value of snprintf() and out-of-bounds memory access in RIOT /sys/shell/cmds/vfs.c We spotted an unsafe use of the return value of `snprintf()` that leads to an out-of-bounds memory access in RIOT source code at: * /sys/shell/cmds/vfs.c The `snprintf()` function returns the number of characters (excluding the terminating NUL byte) which would have been written to the destination string if enough space had been available. If an attacker is able to craft input so that the final string would become larger than `bs`, they can exploit this bug to cause a buffer overflow. See the marked lines below: ```c static void _write_block(int fd, unsigned bs, unsigned i) { char block[bs]; char *buf = block; buf += snprintf(buf, bs, "|%03u|", i); // VULN: snprintf() returns the total length of the string it tried to create, which may be larger than bs memset(buf, _get_char(i), &block[bs] - buf); // VULN: buf can point past the block buffer, in addition &block[bs] - buf would be negative and become a large unsigned value block[bs - 1] = '\n'; vfs_write(fd, block, bs); } ``` We put together a quick proof-of-concept to demonstrate this issue: ``` raptor@blumenkraft Research % cat ret1.c #include <stdio.h> #include <string.h> #include <stdlib.h> static char _get_char(unsigned i) { i %= 62; /* a-z, A-Z, 0..9, -> 62 characters */ if (i < 10) { return '0' + i; } i -= 10; if (i <= 'z' - 'a') { return 'a' + i; } i -= 1 + 'z' - 'a'; return 'A' + i; } static void _write_block(unsigned bs, unsigned i) { char block[bs]; char *buf = block; buf += snprintf(buf, bs, "|%03u|", i); // VULN: unsafe use of return value memset(buf, _get_char(i), &block[bs] - buf); // VULN: oob memory write, size becomes a large unsigned value block[bs - 1] = '\n'; } int main(int argc, char **argv) { if (argc < 3) return 1; _write_block(atoi(argv[1]), atoi(argv[2])); return 0; } raptor@blumenkraft Research % make ret1 cc ret1.c -o ret1 raptor@blumenkraft Research % ./ret1 5 10 raptor@blumenkraft Research % ./ret1 5 1000000 zsh: segmentation fault ./ret1 5 1000000 ``` If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to (less likely in this case) arbitrary code execution. Fixes: https://github.com/RIOT-OS/RIOT/pull/20546 https://github.com/RIOT-OS/RIOT/pull/20595 See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-frp5-4gfp-84j3 --[ 3.10 - Lack of size checks and buffer overflows in RIOT /sys/net/application_layer/emcute/emcute.c We spotted the lack of size checks that may lead to buffer overflows in RIOT source code at: * /sys/net/application_layer/emcute/emcute.c The `emcute_con()` function does not implement a size check before copying data to the `tbuf` static buffer. If an attacker can craft a long enough payload, they could cause a buffer overflow. See the marked line below: ```c int emcute_con(sock_udp_ep_t *remote, bool clean, const char *will_topic, const void *will_msg, size_t will_msg_len, unsigned will_flags) { int res; size_t len; assert(!will_topic || (will_topic && will_msg && !(will_flags & ~PUB_FLAGS))); mutex_lock(&txlock); /* check for existing connections and copy given UDP endpoint */ if (gateway.port != 0) { return EMCUTE_NOGW; } memcpy(&gateway, remote, sizeof(sock_udp_ep_t)); /* figure out which flags to set */ uint8_t flags = (clean) ? EMCUTE_CS : 0; if (will_topic) { flags |= EMCUTE_WILL; } /* compute packet size */ len = (strlen(cli_id) + 6); tbuf[0] = (uint8_t)len; tbuf[1] = CONNECT; tbuf[2] = flags; tbuf[3] = PROTOCOL_VERSION; byteorder_htobebufs(&tbuf[4], CONFIG_EMCUTE_KEEPALIVE); memcpy(&tbuf[6], cli_id, strlen(cli_id)); // VULN: lack of size check and potential buffer overflow ... ``` The `emcute_unsub()` function does not implement a size check before copying data to the `tbuf` static buffer. If an attacker can craft a long enough payload, they could cause a buffer overflow. See the marked line below: ```c int emcute_unsub(emcute_sub_t *sub) { assert(sub && sub->topic.name); if (gateway.port == 0) { return EMCUTE_NOGW; } mutex_lock(&txlock); tbuf[0] = (strlen(sub->topic.name) + 5); tbuf[1] = UNSUBSCRIBE; tbuf[2] = 0; byteorder_htobebufs(&tbuf[3], id_next); waitonid = id_next++; memcpy(&tbuf[5], sub->topic.name, strlen(sub->topic.name)); // VULN: lack of size check and potential buffer overflow int res = syncsend(UNSUBACK, (size_t)tbuf[0], false); if (res == EMCUTE_OK) { if (subs == sub) { subs = sub->next; } else { emcute_sub_t *s; for (s = subs; s; s = s->next) { if (s->next == sub) { s->next = sub->next; break; } } } } mutex_unlock(&txlock); return res; } ``` If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. There is currently no fix for these issues. RIOT maintainers do not consider them to be security critical bugs and therefore they are currently discussing them publicly. See also: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-x27v-gqp4-7jq3 --[ 4 - Affected products RIOT 2024.01 and (likely) earlier versions are affected by the vulnerabilities discussed in this advisory. --[ 5 - Remediation RIOT maintainers have fixed all the vulnerabilities discussed in this advisory, except for those reported in GHSA-x27v-gqp4-7jq3, which are not considered security critical bugs and are currently being discussed publicly. Please check the official RIOT channels for further information about fixes. --[ 6 - Disclosure timeline We reported the vulnerabilities discussed in this advisory to RIOT maintainers in January 2024, via the handy private reporting feature [8] that is available on GitHub. We are not sure of the reason of the significant delay in the initial maintainers' response. However, once we got their attention they quickly triaged and fixed all vulnerabilities. They also informed us that: * They are treating such delay as an additional security incident. * They added another maintainer to the security group as an immediate action. * They plan on discussing this shortcoming on the next maintainer assembly to find a long term solution. The coordinated disclosure timeline follows: 2024-01-10: Reported the first vulnerability to the RIOT project. 2024-01-11: Reported four more vulnerabilities. 2024-01-12: Reported the rest of the vulnerabilities. 2024-02-09: Asked for feedback on <security@riot-os.org>. 2024-03-05: Asked again for feedback on <security@riot-os.org>. 2024-04-05: Asked again for feedback via GitHub and got the first reply. 2024-04-06: Started collaborating with RIOT to evaluate proposed fixes. 2024-04-10: First security advisory published on GitHub. 2024-04-17: Another security advisory published on GitHub. 2024-04-24: Asked for a status update on the remaining reports. 2024-04-25: Two more security advisories published on GitHub. 2024-04-26: Another security advisory published on GitHub. 2024-04-30: Three more security advisories published on GitHub. 2024-05-07: Published advisory and writeup. --[ 7 - Acknowledgments We would like to thank RIOT maintainers for triaging and fixing the reported vulnerabilities in a particularly friendly and professional way. We really appreciated working with them! --[ 8 - References [1] https://www.riot-os.org/ [2] https://github.com/RIOT-OS/RIOT [3] https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/ [4] https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/ [5] https://security.humanativaspa.it/big-update-to-my-semgrep-c-cpp-ruleset/ [6] https://security.humanativaspa.it/a-collection-of-weggli-patterns-for-c-cpp-vulnerability-research/ [7] https://github.com/gkostka/lwext4/blob/58bcf89a121b72d4fb66334f1693d3b30e4cb9c5/src/ext4.c#L75 [8] https://docs.github.com/en/code-security/security-advisories Copyright (c) 2024 Marco Ivaldi and Humanativa Group. All rights reserved.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top