Skip to content

ipm: signed to unsigned conversion problem in esp32_ipm_send

High
ceolin published GHSA-32f5-3p9h-2rqc Feb 18, 2024

Package

zephyr (zephyr)

Affected versions

<= 3.5

Patched versions

None

Description

Summary

Signed to unsigned conversion esp32_ipm_send:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_esp32.c#L93

Details

If size is negative it will lead to buffer overflow when it is passed to memcpy due to signed to unsigned conversion.

static int esp32_ipm_send(const struct device *dev, int wait, uint32_t id,
             const void *data, int size)
{
...

    if (dev_data->shm_size < size) { // negative size pass this check
        LOG_ERR("Not enough memory in IPM channel");
        return -ENOMEM;
    }

...

    /* data copied, set the id and, generate interrupt in the remote core */
    if (dev_data->this_core_id == 0) {
        memcpy(dev_data->shm.app_cpu_shm, data, size); // BOF!!!
        atomic_set(&dev_data->control->lock, ESP32_IPM_LOCK_FREE_VAL);
        LOG_DBG("Generating interrupt on remote CPU 1 from CPU 0");
#if defined(CONFIG_SOC_SERIES_ESP32) || defined(CONFIG_SOC_SERIES_ESP32_NET)
        DPORT_WRITE_PERI_REG(DPORT_CPU_INTR_FROM_CPU_1_REG, DPORT_CPU_INTR_FROM_CPU_1);
#elif defined(CONFIG_SOC_SERIES_ESP32S3)
        WRITE_PERI_REG(SYSTEM_CPU_INTR_FROM_CPU_1_REG, SYSTEM_CPU_INTR_FROM_CPU_1);
#endif

    } else {
        memcpy(dev_data->shm.pro_cpu_shm, data, size); // BOF!!!

Patches

main: #65546

embargo: 2024-02-18

For more information

If you have any questions or comments about this advisory:

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CVE ID

CVE-2023-6249

Weaknesses

Credits