Summary

I spotted an off-by-one buffer overflow vulnerability at the following location in the Zephyr FS subsystem source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/fs/fuse_fs_access.c

Details

If the string passed to the following function via the path parameter is PATH_MAX chars long (including the NUL terminator), the insecure sprintf() function call marked below writes one NUL byte off the stack variable mount_path:

static int fuse_fs_access_readdir(const char *path, void *buf,
			      fuse_fill_dir_t filler, off_t off,
			      struct fuse_file_info *fi)
{
	struct fs_dir_t dir;
	struct fs_dirent entry;
	int err;
	struct stat stat;

	ARG_UNUSED(off);
	ARG_UNUSED(fi);

	if (strcmp(path, "/") == 0) {
		return fuse_fs_access_readmount(buf, filler);
	}

	fs_dir_t_init(&dir);

	if (is_mount_point(path)) {
		/* File system API expects trailing slash for a mount point
		 * directory but FUSE strips the trailing slashes from
		 * directory names so add it back.
		 */
		char mount_path[PATH_MAX];

		sprintf(mount_path, "%s/", path); /* VULN */
		err = fs_opendir(&dir, mount_path);
	} else {
		err = fs_opendir(&dir, path);
	}
...

Patches

This has been fixed in:

• main (v3.5 development cycle) #63079

PoC

I haven't tried to reproduce this potential vulnerability against a live install of the Zephyr OS.

Impact

If the unchecked input above is attacker-controlled and crosses a security boundary, depending on stack layout, the off-by-one buffer overflow vulnerability could be exploited to cause a denial of service or even achieve arbitrary code execution.