vmpu_sys_mux_handler, which is called to handle e.g. MemManage faults, trusts that the PSP points somewhere sensible and dereferences it, without checking this, in order to find the exception frame which the CPU is supposed to have pushed there. This is not necessarily the case, if for example a box has run out of stack space, or has loaded a maliciously chosen SP value.
There are some bits of the MMFSR which should possibly be checked to detect this situation. Also see the ARMARM function PushStack().
Found using AFL.
// vmpu_armv7m.c line 217
/* PSP at fault */
psp = __get_PSP();
switch(ipsr)
{
case MemoryManagement_IRQn:
/* currently we only support recovery from unprivileged mode */
if(lr & 0x4)
{
/* pc at fault */
pc = vmpu_unpriv_uint32_read(psp + (6 * 4));
/* backup fault address and status */
fault_addr = SCB->MMFAR;
fault_status = VMPU_SCB_MMFSR;
ciarmcom
commented
7 years ago
vmpu_sys_mux_handler, which is called to handle e.g. MemManage faults, trusts that the PSP points somewhere sensible and dereferences it, without checking this, in order to find the exception frame which the CPU is supposed to have pushed there. This is not necessarily the case, if for example a box has run out of stack space, or has loaded a maliciously chosen SP value.
There are some bits of the MMFSR which should possibly be checked to detect this situation. Also see the ARMARM function PushStack().
Found using AFL.