Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cordio BLE: Fix integer overflows (CVE-2024-48983) #388

Merged
merged 1 commit into from
Nov 21, 2024
Merged

Cordio BLE: Fix integer overflows (CVE-2024-48983) #388

merged 1 commit into from
Nov 21, 2024

Conversation

Diff-fusion
Copy link

Summary of changes

hciTrSerialRxIncoming parses incoming hci packets. In doing so, it dynamically determines the length of the packet body. For the case of HCI_ACL_TYPE this is done by reading 2 bytes from the packet header.

mbed-os/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c

Lines 182 to 195 in 54e8693

switch (pktIndRx)
{
case HCI_CMD_TYPE:
dataLen = hdrRx[2];
break;
case HCI_ACL_TYPE:
BYTES_TO_UINT16(dataLen, &hdrRx[2]);
break;
case HCI_EVT_TYPE:
dataLen = hdrRx[1];
break;
default:
break;
}

A buffer is then allocated to hold the packet, the length of which is determined by the sum of this 16bit integer and the length of the packet header.

mbed-os/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c

Lines 197 to 201 in 54e8693

/* allocate data buffer to hold entire packet */
if (pktIndRx == HCI_ACL_TYPE)
{
pPktRx = (uint8_t*)WsfMsgDataAlloc(hdrLen + dataLen, 0);
}

The final buffer size is also increased by WsfMsgAlloc, which adds the size of one wsfMsg_t.

mbed-os/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c

Line 72 in 54e8693

pMsg = WsfBufAlloc(len + sizeof(wsfMsg_t));

For large dataLen values, this addition may result in an integer overflow which causes the allocated buffer to be very small. Header and body are then copied separately, resulting in one operation of size hdrLen and one of size dataLen, the latter of which is always larger than the allocated buffer. This leads to a buffer overflow which, if large amounts of data are written, will likely result in corruption of memory data and may cause the system to crash.

This fix eliminates the issue by check for integer overflows, both in hciTrSerialRxIncoming and WsfMsgAlloc.

Impact of changes

Migration actions required

Documentation

None

Pull request type 

[x] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results 

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

@Diff-fusion
Copy link
Author

Diff-fusion commented Nov 19, 2024
edited
Loading

This PR fixes CVE-2024-48983

@Diff-fusion Diff-fusion changed the title Cordio BLE: Fix integer overflows Cordio BLE: Fix integer overflows (CVE-2024-48983) Nov 19, 2024
multiplemonomials
multiplemonomials approved these changes Nov 21, 2024
View reviewed changes
Copy link
Collaborator

@multiplemonomials multiplemonomials left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@multiplemonomials multiplemonomials merged commit 8576b04 into mbed-ce:master Nov 21, 2024
52 checks passed
@Diff-fusion Diff-fusion deleted the fix-interger-overflow-hciTrSerialRxIncoming branch November 21, 2024 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@multiplemonomials multiplemonomials multiplemonomials approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Diff-fusion @multiplemonomials