Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory acess out of range in MbedOS CoAP library parser part #11803

Closed
TheSilentDawn opened this issue Nov 4, 2019 · 7 comments
Closed

memory acess out of range in MbedOS CoAP library parser part #11803

TheSilentDawn opened this issue Nov 4, 2019 · 7 comments

Comments

@TheSilentDawn
Copy link

TheSilentDawn commented Nov 4, 2019

Description of defect

Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_parser_options_parse

while (message_left && (**packet_data_pptr != 0xff)) {

Type: Buffer overflow
The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as a delimiter byte 0xFF, as shown in line 4 of the code snippet below.

static int8_t sn_coap_parser_options_parse(..., uint8_t **packet_data_pptr, ...)
{
...
    while (message_left && (**packet_data_pptr != 0xff)) {
       	...
       	if (option_len == 13) {
           	option_len = *(*packet_data_pptr + 1) + 13;
           	(*packet_data_pptr)++;
       	}
       	...
    }
...
}

Unfortunately, inside each while loop, the check of the value of packet_data_pptr is not strictly enforced. More specifically, inside a loop, packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_**() that do not check whether the pointer is within the bound of the allocated buffer. All of these lead to heap or stack buffer overflow, depending on how the CoAP packet buffer is allocated.
In the following, we list other locations which cause out-of-bound memory accesses rooted in this vulnerability.

if ((temp_parsed_uri_query_ptr - *dst_pptr) >= uri_query_needed_heap || ((**packet_data_pptr >> COAP_OPTIONS_OPTION_NUMBER_SHIFT) != 0)) {

option_len = *(*packet_data_pptr + 2);

value |= *(*packet_data_pptr)++;

option_number = *(*packet_data_pptr + 1) + 13;

option_number = *(*packet_data_pptr + 2);

Result: Memory corruption.

Target(s) affected by this defect ?

MbedOS CoAP library

Toolchain(s) (name and version) displaying this defect ?

N/A

What version of Mbed-os are you using (tag or sha) ?

MbedOS 5.13.2

What version(s) of tools are you using. List all that apply (E.g. mbed-cli)

mbed-cli latest version

How is this defect reproduced ?

Using bug_coap_1_1, bug_coap_1_2, bug_coap_1_3, bug_coap_1_4, bug_coap_1_5 and bug_coap_1_6 as input of demo codes below, previous crash examples in sn_coap_parser.c will be triggered.

// The code is based on the demo in the CoAP library source code of MbedOS
struct coap_s* coapHandle;
coap_version_e coapVersion = COAP_VERSION_1;
void* coap_malloc(uint16_t size){
    return malloc(size);
}
void coap_free(void* addr){
    free(addr);
}
uint8_t coap_tx_cb(uint8_t *a, uint16_t b, sn_nsdl_addr_s *c, void *d){
    debug_log("coap_tx_cb", sizeof("coap_tx_cb"));
    return 0;
}
int8_t coap_rx_cb(sn_coap_hdr_s *a, sn_nsdl_addr_s *b, void *c){
    debug_log("coap_rx_cb", sizeof("coap_rx_cb"));
    return 0;
}
void main_parser() {
    coapHandle = sn_coap_protocol_init(&coap_malloc, &coap_free, &coap_tx_cb, &coap_rx_cb);
    nsapi_size_or_error_t ret;
    uint8_t* recv_buffer = (uint8_t*)malloc(1280);
    // memset(recv_buffer, 0x0, 1280); // some inputs rely on memory without initialization which is common when the memory is reused
    // stack overflow need to change this operation
    // to allocate memory in stack, for example, uint8_t recv_buffer[1280]
    ret = read(0, recv_buffer, 1280);
    sn_coap_hdr_s* parsed = sn_coap_parser(coapHandle, ret, recv_buffer, &coapVersion);
}

bug_coap_1_1.log
bug_coap_1_2.log
bug_coap_1_3.log
bug_coap_1_4.log
bug_coap_1_5.log
bug_coap_1_6.log

@TheSilentDawn TheSilentDawn changed the title The bug of MbedOS CoAP library The bug1 of MbedOS CoAP library Nov 4, 2019
@0xc0170
Copy link
Member

0xc0170 commented Nov 4, 2019

cc @anttiylitokola

@adbridge
Copy link
Contributor

adbridge commented Nov 6, 2019

@TheSilentDawn Could you please update the title of your issues to actually describe what the bug is rather than just 'bug 1' etc? Thanks

@TheSilentDawn TheSilentDawn changed the title The bug1 of MbedOS CoAP library pointer access with offset out of memory range in MbedOS CoAP library Nov 6, 2019
@TheSilentDawn
Copy link
Author

@adbridge No problem.

@TheSilentDawn TheSilentDawn changed the title pointer access with offset out of memory range in MbedOS CoAP library out of memory acess in MbedOS CoAP library parser part Nov 6, 2019
@TheSilentDawn TheSilentDawn changed the title out of memory acess in MbedOS CoAP library parser part memory acess out of range in MbedOS CoAP library parser part Nov 6, 2019
@ciarmcom
Copy link
Member

Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2329

@JanneKiiskila
Copy link
Contributor

Thank you for this error report, this will be fixed in an upcoming release.

@teetak01
Copy link
Contributor

teetak01 commented Apr 3, 2020

Thanks @TheSilentDawn

This issue was fixed as part of Mbed OS 5.15.1 release.

#12146

Closing as fixed.

@elanzini
Copy link

Is it possible to have #12146 as a Linked pull request to this issue?
It helps when tracing back what was changed in the fix since NVD only reports a link to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants