Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow in RT-Thread wlan driver #8285

Open
0xdea opened this issue Nov 24, 2023 · 2 comments
Open

Heap buffer overflow in RT-Thread wlan driver #8285

0xdea opened this issue Nov 24, 2023 · 2 comments

Comments

@0xdea
Copy link

0xdea commented Nov 24, 2023

Hi,

I would like to report another potential vulnerability in the current version of RT-Thread. Please let me know if you plan to ask for a CVE ID in case the vulnerability is confirmed. I'm available if you need further clarifications.

Potential heap buffer overflow in RT-Thread wlan driver

Summary

I spotted a potential heap buffer overflow vulnerability at the following location in the RT-Thread wlan driver source code:
https://github.com/RT-Thread/rt-thread/blob/master/components/drivers/wlan/wlan_mgnt.c#L215-L226

Details

Since len is a signed integer in the rt_wlan_send_to_thread()function, a small negative value could lead to a buffer overflow at the marked lines:

#ifdef RT_WLAN_WORK_THREAD_ENABLE
...
static rt_err_t rt_wlan_send_to_thread(rt_wlan_event_t event, void *buff, int len)
{
    struct rt_wlan_msg *msg;

    RT_WLAN_LOG_D("F:%s is run event:%d", __FUNCTION__, event);

    /* Event packing */
    msg = rt_malloc(sizeof(struct rt_wlan_msg) + len); /* VULN: if len is a small negative number, this would result in an under-allocation */
    if (msg == RT_NULL)
    {
        RT_WLAN_LOG_E("wlan mgnt send msg err! No memory");
        return -RT_ENOMEM;
    }
    rt_memset(msg, 0, sizeof(struct rt_wlan_msg) + len);
    msg->event = event;
    if (len != 0)
    {
        msg->buff = (void *)&msg[1];
        rt_memcpy(msg->buff, buff, len); /* VULN: the small negative number would become a large unsigned size, and we would have a wild memcpy and a heap buffer overflow */
        msg->len = len;
    }

    /* send event to wlan thread */
    if (rt_wlan_workqueue_dowork(rt_wlan_mgnt_work, msg) != RT_EOK)
    {
        rt_free(msg);
        RT_WLAN_LOG_E("wlan mgnt do work fail");
        return -RT_ERROR;
    }
    return RT_EOK;
}

Impact

If the signed size above is confirmed to be attacker-controlled and the input is crossing a security boundary, the impact of the reported buffer overflow vulnerability could range from denial of service to arbitrary code execution.
@0xdea
Copy link
Author

0xdea commented Dec 24, 2023

Hi, it's been one month since I reported this vulnerability, and I wanted to ask if you have any update. As standard practice, I plan to request a CVE ID for every confirmed vulnerability. I also intend to publish an advisory by February at the latest, unless there's a specific reason to postpone. Thanks!

@0xdea 0xdea changed the title Potential heap buffer overflow in RT-Thread wlan driver Heap buffer overflow in RT-Thread wlan driver Feb 2, 2024
@0xdea
Copy link
Author

0xdea commented Feb 8, 2024

Hi there, CVE-2024-25388 was assigned to this vulnerability. I'm planning to publish my security advisory and writeup on March 5th. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xdea