Impact
Performing fs_stat
on a file with a filename longer than 12 characters long will cause a buffer overflow.
Where the overflow occurs: subsys/fs/fat_fs.c
: 306, where the struct is defined with MAX_FILE_NAME.
To Reproduce
Steps to reproduce the behavior:
Enable Long File Name support (i,e. CONFIG_FS_FATFS_LFN=y in prj,conf)
after mounting a filesystem, call fs_stat("/SD:/some-long-file-name.txt", ...);
build, targeting native_posix
See *** buffer overflow detected ***: terminated in the output when running zephyer.exe
Expected behavior
fs_stat will return with a result, typically -ENOENT.
Impact
Corrupted memory if there is no memory protection in place.
Screenshots or console output
Output from gdb
(gdb) file zephyr/zephyr.exe
Reading symbols from zephyr/zephyr.exe...
(gdb) run
Starting program: /home/nzsmartie/Projects/smartbike/app/sanity-out/native_posix/processor.logger/zephyr/zephyr.exe
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0xf7c7eb40 (LWP 413479)]
[New Thread 0xf72ffb40 (LWP 413480)]
[New Thread 0xf6afeb40 (LWP 413481)]
*** Booting Zephyr OS build zephyr-v2.2.0 ***
[Thread 0xf7c7eb40 (LWP 413479) exited]
Running test suite logger_processor_test
===================================================================
starting test - test_logger_file
[New Thread 0xf7c7eb40 (LWP 413482)]
E: failed get file or dir stat (-2)
D: Successfully opened log file: /NAND:/SmartBike/Logs/2020-05-28-1340.log
*** buffer overflow detected ***: terminated
Thread 5 "zephyr.exe" received signal SIGABRT, Aborted.
[Switching to Thread 0xf7c7eb40 (LWP 413482)]
0xf7fd0b49 in __kernel_vsyscall ()
(gdb) backtrace
#0 0xf7fd0b49 in __kernel_vsyscall ()
#1 0xf7cb64c6 in raise () from /lib/i386-linux-gnu/libc.so.6
#2 0xf7c9e3f7 in abort () from /lib/i386-linux-gnu/libc.so.6
#3 0xf7cfb4ac in ?? () from /lib/i386-linux-gnu/libc.so.6
#4 0xf7d9936c in __fortify_fail () from /lib/i386-linux-gnu/libc.so.6
#5 0xf7d97d7f in __chk_fail () from /lib/i386-linux-gnu/libc.so.6
#6 0xf7d97805 in __strcpy_chk () from /lib/i386-linux-gnu/libc.so.6
#7 0x5655e9b3 in strcpy (__src=0xf7c7deda "2020-05-28-1340.log",
__dest=0xf7c7e054 "\b\001\353\367L\341\307", <incomplete sequence \367>)
at /usr/include/bits/string_fortified.h:90
#8 fatfs_stat (mountp=0x5656c040 <test_mount>, path=0xf7c7e078 "/NAND:/SmartBike/Logs/2020-05-28-1340.log",
entry=0xf7c7e050) at /home/nzsmartie/Projects/smartbike/zephyr/subsys/fs/fat_fs.c:306
#9 0x5655e60e in fs_stat (abs_path=<optimized out>, entry=0xf7c7e050)
at /home/nzsmartie/Projects/smartbike/zephyr/subsys/fs/fs.c:459
#10 0x5655b0d3 in test_log_created ()
at /home/nzsmartie/Projects/smartbike/app/tests/processor/logger/src/main.cpp:63
#11 0x5655b24b in test_logger_file ()
at /home/nzsmartie/Projects/smartbike/app/tests/processor/logger/src/main.cpp:105
#12 0x5655f03a in run_test_functions (test=0x5656c000 <test_main::_logger_processor_test>)
at /home/nzsmartie/Projects/smartbike/zephyr/subsys/testsuite/ztest/src/ztest.c:148
#13 test_cb (a=0x5656c000 <test_main::_logger_processor_test>, dummy2=0x0, dummy=0x0)
at /home/nzsmartie/Projects/smartbike/zephyr/subsys/testsuite/ztest/src/ztest.c:281
#14 0x5655b948 in z_thread_entry (entry=0x5655f00a <test_cb>, p1=0x5656c000 <test_main::_logger_processor_test>,
p2=0x0, p3=0x0) at /home/nzsmartie/Projects/smartbike/zephyr/lib/os/thread_entry.c:29
#15 0x5655c41b in posix_thread_starter (arg=0x2)
at /home/nzsmartie/Projects/smartbike/zephyr/arch/posix/core/posix_core.c:305
#16 0xf7e77635 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#17 0xf7d8973a in clone () from /lib/i386-linux-gnu/libc.so.6
Environment (please complete the following information):
OS: Linux
Toolchain Zephyr SDK v0.11.2
Zephyr: v2.2.0 (9518bd1)
See #25710
Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
embargo: 2020-09-04
zepsec: ZEPSEC-88
Impact
Performing
fs_stat
on a file with a filename longer than 12 characters long will cause a buffer overflow.Where the overflow occurs:
subsys/fs/fat_fs.c
: 306, where the struct is defined with MAX_FILE_NAME.To Reproduce
Steps to reproduce the behavior:
Enable Long File Name support (i,e. CONFIG_FS_FATFS_LFN=y in prj,conf)
after mounting a filesystem, call fs_stat("/SD:/some-long-file-name.txt", ...);
build, targeting native_posix
See *** buffer overflow detected ***: terminated in the output when running zephyer.exe
Expected behavior
fs_stat will return with a result, typically -ENOENT.
Impact
Corrupted memory if there is no memory protection in place.
Screenshots or console output
Output from gdb
Environment (please complete the following information):
OS: Linux
Toolchain Zephyr SDK v0.11.2
Zephyr: v2.2.0 (9518bd1)
See #25710
Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
embargo: 2020-09-04
zepsec: ZEPSEC-88