catalinv-ncc opened a new issue, #19036:
URL: https://github.com/apache/nuttx/issues/19036
### Description / Steps to reproduce the issue
# Impact
When calling Set RF Configuration command, a compromised user process can
trigger
memory corruption in the kernel. This can lead to a system crash or
potentially arbitrary
code execution in the kernel.
# Description
The PN532 driver contains a buffer overflow, in ioctl . Untrusted content is
given to the
device in arg :
```c
static int _ioctl(FAR struct file *filep, int cmd, unsigned long arg)
{
...
switch (cmd)
{
...
case PN532IOC_SET_RF_CONF:
pn532_set_rf_config(dev, (FAR struct pn_rf_config_s*) arg);
break;
...
}
```
The RF Configuration command is described in Section 7.3.1 of the PN532 user
guide (https://www.nxp.com/docs/en/user-guide/141520.pdf).
```c
begin_packed_struct struct pn532_frame
{
uint8_t preamble; /* 0x00 */
uint16_t start_code; /* 0x00FF (BE) -> 0xFF00 (LE) */
uint8_t len; /* 1 byte indicating the number of bytes in
* the data field */
uint8_t lcs; /* 1 Packet Length Checksum LCS byte that satisfies
* the relation: Lower byte of [LEN + LCS] = 00h */
uint8_t tfi; /* Frame identifier 0xD4, 0xD5 */
uint8_t data[]; /* LEN-1 bytes of Packet Data Information.
* The first byte PD0 is the Command Code */
} end_packed_struct;
```
In the following structure conf is untrusted. The frame pointer `f` uses the
`cmd_buffer` for
storage and the maximum `data` size it can write is 16 bytes (because the
first 6 bytes are
used by `preamble` to `tfi`). Note however that attacker controlled
`conf->data_size` length is used to write attacker controlled content
`conf->config` into kernel stack memory, and may
be able to cause a privilege escalation.
```c
bool pn532_set_rf_config(struct pn532_dev_s * dev,
struct pn_rf_config_s * conf)
{
bool res = false;
uint8_t cmd_buffer[15 + 7];
FAR struct pn532_frame *f = (FAR struct pn532_frame *) cmd_buffer;
pn532_frame_init(f, PN532_COMMAND_RFCONFIGURATION);
f->data[1] = conf->cfg_item;
memcpy(&f->data[2], conf->config, conf->data_size);
f->len += conf->data_size + 1;
pn532_frame_finish(f);
```
# Recommendation
Verify that `conf->data_size` is not greater than 16 bytes before the
`memcpy()` operation.
Reporter will also fix the issue in master.
# Location
`drivers/contactless/pn532.c`
### On which OS does this issue occur?
[OS: Other], [OS: Linux], [OS: BSD], [OS: Mac], [OS: Windows]
### What is the version of your OS?
Linux
### NuttX Version
master
### Issue Architecture
[Arch: all]
### Issue Area
[Area: Specific Peripheral]
### Host information
N/A
### Verification
- [x] I have verified before submitting the report.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
