Advisory was rejected after further investigation. The data field is not attacker controlled
Summary
I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp_cp.c
Details
Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:
void *smp_alloc_rsp(const void *req, void *arg)
{
const struct net_buf *req_nb;
struct net_buf *rsp_nb;
struct smp_transport *smpt = arg;
req_nb = req;
rsp_nb = smp_packet_alloc();
if (rsp_nb == NULL) {
return NULL;
}
if (smpt->functions.ud_copy) {
smpt->functions.ud_copy(rsp_nb, req_nb);
} else {
memcpy(net_buf_user_data(rsp_nb),
net_buf_user_data((void *)req_nb),
req_nb->user_data_size); /* VULN */
}
return rsp_nb;
}
Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp_cp.c:
static int cp_build_command(struct osdp_pd *pd, uint8_t *buf, int max_len)
{
struct osdp_cmd *cmd = NULL;
int len = 0;
int data_off = osdp_phy_packet_get_data_offset(pd, buf);
#ifdef CONFIG_OSDP_SC_ENABLED
uint8_t *smb = osdp_phy_packet_get_smb(pd, buf);
#endif
buf += data_off;
max_len -= data_off;
if (max_len <= 0) {
return OSDP_CP_ERR_GENERIC;
}
switch (pd->cmd_id) {
...
case CMD_TEXT:
cmd = (struct osdp_cmd *)pd->ephemeral_data;
assert_buf_len(CMD_TEXT_LEN + cmd->text.length, max_len); /* VULN: assert */
buf[len++] = pd->cmd_id;
buf[len++] = cmd->text.reader;
buf[len++] = cmd->text.control_code;
buf[len++] = cmd->text.temp_time;
buf[len++] = cmd->text.offset_row;
buf[len++] = cmd->text.offset_col;
buf[len++] = cmd->text.length;
memcpy(buf + len, cmd->text.data, cmd->text.length); /* VULN: buffer overflow */
len += cmd->text.length;
break;
Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp_pd.c:
static int pd_build_reply(struct osdp_pd *pd, uint8_t *buf, int max_len)
{
int ret = OSDP_PD_ERR_GENERIC;
int i, len = 0;
struct osdp_cmd *cmd;
struct osdp_event *event;
int data_off = osdp_phy_packet_get_data_offset(pd, buf);
#ifdef CONFIG_OSDP_SC_ENABLED
uint8_t *smb = osdp_phy_packet_get_smb(pd, buf);
#endif
buf += data_off;
max_len -= data_off;
switch (pd->reply_id) {
...
case REPLY_KEYPPAD:
event = (struct osdp_event *)pd->ephemeral_data;
assert_buf_len(REPLY_KEYPAD_LEN + event->keypress.length, max_len); /* VULN: assert */
buf[len++] = pd->reply_id;
buf[len++] = (uint8_t)event->keypress.reader_no;
buf[len++] = (uint8_t)event->keypress.length;
memcpy(buf + len, event->keypress.data, event->keypress.length); /* VULN: buffer overflow */
len += event->keypress.length;
ret = OSDP_PD_ERR_NONE;
break;
case REPLY_RAW: {
int len_bytes;
event = (struct osdp_event *)pd->ephemeral_data;
len_bytes = (event->cardread.length + 7) / 8;
assert_buf_len(REPLY_RAW_LEN + len_bytes, max_len); /* VULN: assert */
buf[len++] = pd->reply_id;
buf[len++] = (uint8_t)event->cardread.reader_no;
buf[len++] = (uint8_t)event->cardread.format;
buf[len++] = BYTE_0(event->cardread.length);
buf[len++] = BYTE_1(event->cardread.length);
memcpy(buf + len, event->cardread.data, len_bytes); /* VULN: buffer overflow */
len += len_bytes;
ret = OSDP_PD_ERR_NONE;
break;
}
case REPLY_FMT:
event = (struct osdp_event *)pd->ephemeral_data;
assert_buf_len(REPLY_FMT_LEN + event->cardread.length, max_len); /* VULN: assert */
buf[len++] = pd->reply_id;
buf[len++] = (uint8_t)event->cardread.reader_no;
buf[len++] = (uint8_t)event->cardread.direction;
buf[len++] = (uint8_t)event->cardread.length;
memcpy(buf + len, event->cardread.data, event->cardread.length); /* VULN: buffer overflow */
len += event->cardread.length;
ret = OSDP_PD_ERR_NONE;
break;
...
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.
Advisory was rejected after further investigation. The data field is not attacker controlled
Summary
I spotted a few buffer overflow vulnerabilities at the following locations in the Zephyr Mgmt subsystem source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/mcumgr/transport/src/smp.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/mgmt/osdp/src/osdp_cp.c
Details
Buffer overflow in /subsys/mgmt/mcumgr/transport/src/smp.c:
Buffer overflow due to assert in /subsys/mgmt/osdp/src/osdp_cp.c:
Buffer overflows due to assert in /subsys/mgmt/osdp/src/osdp_pd.c:
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.