Summary
out of bounds in remove_rx_filter function
Details
in function can_stm32_remove_rx_filter
,can_nxp_s32_remove_rx_filter
, mcp2515_remove_rx_filter
, there is no bounds check (assert is sometimes useless) of filter id like mcux_flexcan_remove_rx_filter
.etc.
static void can_nxp_s32_remove_rx_filter(const struct device *dev, int filter_id)
{
const struct can_nxp_s32_config *config = dev->config;
struct can_nxp_s32_data *data = dev->data;
int mb_indx = ALLOC_IDX_TO_RXMB_IDX(filter_id);
__ASSERT_NO_MSG(filter_id >= 0 && filter_id < CONFIG_CAN_NXP_S32_MAX_RX); // useless assert check
k_mutex_lock(&data->rx_mutex, K_FOREVER);
if (atomic_test_and_clear_bit(data->rx_allocs, filter_id)) {
if (can_nxp_s32_abort_msg(config, mb_indx)) {
LOG_ERR("Can't abort message !");
};
data->rx_cbs[filter_id].function = NULL;
data->rx_cbs[filter_id].arg = NULL;
data->rx_cbs[filter_id].filter = (struct can_filter){0};
} else {
LOG_WRN("Filter ID %d already detached", filter_id);
}
k_mutex_unlock(&data->rx_mutex);
}
void can_sja1000_remove_rx_filter(const struct device *dev, int filter_id)
{
struct can_sja1000_data *data = dev->data;
if (filter_id < 0 || filter_id >= ARRAY_SIZE(data->filters)) { // bounds check should like this
LOG_ERR("filter ID %d out of bounds", filter_id);
return;
}
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the this vulnerabilities could range from denial of service to arbitrary code execution.
For more information
If you have any questions or comments about this advisory:
Fixes
main branch: #64399
v2.7-branch PR: #64431
v3.3-branch PR: #64427
v3.4-branch PR: #64415
v3.5-branch PR: #64416
embargo: 2024-01-23
Summary
out of bounds in remove_rx_filter function
Details
in function
can_stm32_remove_rx_filter
,can_nxp_s32_remove_rx_filter
,mcp2515_remove_rx_filter
, there is no bounds check (assert is sometimes useless) of filter id likemcux_flexcan_remove_rx_filter
.etc.PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the this vulnerabilities could range from denial of service to arbitrary code execution.
For more information
If you have any questions or comments about this advisory:
Fixes
main branch: #64399
v2.7-branch PR: #64431
v3.3-branch PR: #64427
v3.4-branch PR: #64415
v3.5-branch PR: #64416
embargo: 2024-01-23