Summary
I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_imx.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_mcux.c
Details
Buffer overflow if size
is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_imx.c:
static int imx_mu_ipm_send(const struct device *dev, int wait, uint32_t id,
const void *data, int size)
{
const struct imx_mu_config *config = dev->config;
MU_Type *base = MU(config);
uint32_t data32[IMX_IPM_DATA_REGS];
#if !IS_ENABLED(CONFIG_IPM_IMX_REV2)
mu_status_t status;
#endif
int i;
if (id > CONFIG_IPM_IMX_MAX_ID_VAL) {
return -EINVAL;
}
if (size > CONFIG_IPM_IMX_MAX_DATA_SIZE) { /* VULN: ineffective check if size is negative */
return -EMSGSIZE;
}
/* Actual message is passing using 32 bits registers */
memcpy(data32, data, size); /* VULN: buffer overflow if size is negative */
...
Buffer overflow if size
is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_mcux.c:
static int mcux_mailbox_ipm_send(const struct device *d, int wait,
uint32_t id,
const void *data, int size)
{
const struct mcux_mailbox_config *config = d->config;
MAILBOX_Type *base = config->base;
uint32_t data32[MCUX_IPM_DATA_REGS]; /* Until we change API
* to uint32_t array
*/
unsigned int flags;
int i;
ARG_UNUSED(wait);
if (id > MCUX_IPM_MAX_ID_VAL) {
return -EINVAL;
}
if (size > MCUX_IPM_DATA_REGS * sizeof(uint32_t)) { /* VULN: ineffective check if size is negative */
return -EMSGSIZE;
}
flags = irq_lock();
/* Actual message is passing using 32 bits registers */
memcpy(data32, data, size); /* VULN: buffer overflow if size is negative */
...
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.
Summary
I spotted two signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_imx.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_mcux.c
Details
Buffer overflow if
size
is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_imx.c:Buffer overflow if
size
is negative, due to signed/unsigned conversion in /drivers/ipm/ipm_mcux.c:PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the inputs above are attacker-controlled and cross a security boundary, the impact of the unsigned conversion errors and buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.