Skip to content

ipm: signed to unsigned conversion problem in esp32_ipm_send

High
ceolin published GHSA-32f5-3p9h-2rqc Feb 18, 2024

Package

zephyr (zephyr)

Affected versions

<= 3.5

Patched versions

None

Description

Summary

Signed to unsigned conversion esp32_ipm_send:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ipm/ipm_esp32.c#L93

Details

If size is negative it will lead to buffer overflow when it is passed to memcpy due to signed to unsigned conversion.

static int esp32_ipm_send(const struct device *dev, int wait, uint32_t id,
             const void *data, int size)
{
...

    if (dev_data->shm_size < size) { // negative size pass this check
        LOG_ERR("Not enough memory in IPM channel");
        return -ENOMEM;
    }

...

    /* data copied, set the id and, generate interrupt in the remote core */
    if (dev_data->this_core_id == 0) {
        memcpy(dev_data->shm.app_cpu_shm, data, size); // BOF!!!
        atomic_set(&dev_data->control->lock, ESP32_IPM_LOCK_FREE_VAL);
        LOG_DBG("Generating interrupt on remote CPU 1 from CPU 0");
#if defined(CONFIG_SOC_SERIES_ESP32) || defined(CONFIG_SOC_SERIES_ESP32_NET)
        DPORT_WRITE_PERI_REG(DPORT_CPU_INTR_FROM_CPU_1_REG, DPORT_CPU_INTR_FROM_CPU_1);
#elif defined(CONFIG_SOC_SERIES_ESP32S3)
        WRITE_PERI_REG(SYSTEM_CPU_INTR_FROM_CPU_1_REG, SYSTEM_CPU_INTR_FROM_CPU_1);
#endif

    } else {
        memcpy(dev_data->shm.pro_cpu_shm, data, size); // BOF!!!

Patches

main: #65546

embargo: 2024-02-18

For more information

If you have any questions or comments about this advisory:

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CVE ID

CVE-2023-6249

Weaknesses

Credits