search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
179 stars 31 forks source link

RVD#2659: fixed size global buffer, mcmds/dumpfile/dumpfile.c:106, ... #2659

Closed rvd-bot closed 3 years ago

rvd-bot commented 4 years ago 
id: 2659
title: 'RVD#2659: fixed size global buffer, mcmds/dumpfile/dumpfile.c:106, ...'
type: bug
description: "Extra care should be taken to ensure that character arrays that are\n\
  \    allocated on the stack are used safely.  They are prime targets for\n    buffer\
  \ overflow attacks. @ /opt/px4_ws/Firmware/src/systemcmds/dumpfile/dumpfile.c106,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/reflect/reflect.c100, \n/opt/px4_ws/Firmware/src/systemcmds/tests/test_float.cpp91,146,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/tests/test_bson.cpp179, \n/opt/px4_ws/Firmware/src/systemcmds/tests/test_dataman.c71,163,176,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/tests/test_mixer.cpp200,231,274,288, \n\
  /opt/px4_ws/Firmware/src/systemcmds/tests/test_uart_send.c78, \n/opt/px4_ws/Firmware/src/systemcmds/tests/test_jig_voltages.c90,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/tests/test_mount.c114,171, \n/opt/px4_ws/Firmware/src/systemcmds/tests/tests_main.c166,262,263,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/mixer/mixer.cpp149, \n/opt/px4_ws/Firmware/src/systemcmds/hardfault_log/hardfault_log.c166,289,453,515,605,646,792,1017,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/ver/ver.c140,141,228, \n/opt/px4_ws/Firmware/src/systemcmds/mtd/mtd.c331,\
  \ \n/opt/px4_ws/Firmware/src/systemcmds/mtd/24xxxx_mtd.c574, \n/opt/px4_ws/Firmware/src/drivers/qurt/fc_addon/rc_receiver/rc_receiver_main.cpp64,\
  \ \n/opt/px4_ws/Firmware/src/drivers/qurt/fc_addon/uart_esc/uart_esc_main.cpp71,138,201,\
  \ \n/opt/px4_ws/Firmware/src/drivers/qurt/fc_addon/mpu_spi/mpu9x50_main.cpp78, \n\
  /opt/px4_ws/Firmware/src/drivers/driver_framework_wrapper/df_mpu9250_wrapper/df_mpu9250_wrapper.cpp376,451,531,\
  \ \n/opt/px4_ws/Firmware/src/drivers/driver_framework_wrapper/df_mpu6050_wrapper/df_mpu6050_wrapper.cpp274,349,\
  \ \n/opt/px4_ws/Firmware/src/drivers/driver_framework_wrapper/df_lsm9ds1_wrapper/df_lsm9ds1_wrapper.cpp334,409,489,\
  \ \n/opt/px4_ws/Firmware/src/drivers/driver_framework_wrapper/df_hmc5883_wrapper/df_hmc5883_wrapper.cpp195,\
  \ \n/opt/px4_ws/Firmware/src/drivers/driver_framework_wrapper/df_ak8963_wrapper/df_ak8963_wrapper.cpp195,\
  \ \n/opt/px4_ws/Firmware/src/drivers/driver_framework_wrapper/df_bebop_bus_wrapper/df_bebop_bus_wrapper.cpp300,\
  \ \n/opt/px4_ws/Firmware/src/drivers/uavcannode/uavcannode_main.cpp228, \n/opt/px4_ws/Firmware/src/drivers/qshell/qurt/qshell.cpp157,\
  \ \n/opt/px4_ws/Firmware/src/drivers/distance_sensor/sf0x/sf0x_tests/SF0XTest.cpp55,\
  \ \n/opt/px4_ws/Firmware/src/drivers/distance_sensor/sf0x/sf0x.cpp96,105,461, \n\
  /opt/px4_ws/Firmware/src/drivers/distance_sensor/tfmini/TFMINI.cpp159, \n/opt/px4_ws/Firmware/src/drivers/distance_sensor/ulanding/ulanding.cpp156,\
  \ \n/opt/px4_ws/Firmware/src/drivers/osd/atxxxx/atxxxx.cpp277,308,324, \n/opt/px4_ws/Firmware/src/drivers/mkblctrl/mkblctrl.cpp161,\
  \ \n/opt/px4_ws/Firmware/src/drivers/linux_pwm_out/navio_sysfs.cpp70,111,136, \n\
  /opt/px4_ws/Firmware/src/drivers/linux_pwm_out/linux_pwm_out.cpp72,73,75,154, \n\
  /opt/px4_ws/Firmware/src/drivers/linux_pwm_out/PCA9685.cpp179, \n/opt/px4_ws/Firmware/src/drivers/telemetry/frsky_telemetry/frsky_telemetry.cpp294,\
  \ \n/opt/px4_ws/Firmware/src/drivers/telemetry/iridiumsbd/IridiumSBD.cpp785, \n\
  /opt/px4_ws/Firmware/src/drivers/telemetry/bst/bst.cpp85, \n/opt/px4_ws/Firmware/src/drivers/px4fmu/fmu.cpp609,648,\
  \ \n/opt/px4_ws/Firmware/src/drivers/lights/blinkm/blinkm.cpp832, \n/opt/px4_ws/Firmware/src/drivers/gps/gps.cpp146,\
  \ \n/opt/px4_ws/Firmware/src/drivers/md25/md25.cpp467,574, \n/opt/px4_ws/Firmware/src/drivers/md25/md25_main.cpp204,\
  \ \n/opt/px4_ws/Firmware/src/drivers/uavcan/uavcan_main.cpp600, \n/opt/px4_ws/Firmware/src/drivers/uavcan/uavcan_servers.cpp1002,1003,\
  \ \n/opt/px4_ws/Firmware/src/drivers/tap_esc/tap_esc.cpp110, \n/opt/px4_ws/Firmware/src/drivers/px4io/px4io.cpp1079,1101,1503,1982,3333,3415,\
  \ \n/opt/px4_ws/Firmware/src/drivers/protocol_splitter/protocol_splitter.cpp63,\
  \ \n/opt/px4_ws/Firmware/src/drivers/batt_smbus/batt_smbus.cpp406,414, \n/opt/px4_ws/Firmware/src/drivers/uavcanesc/uavcanesc_main.cpp201,\
  \ \n/opt/px4_ws/Firmware/src/drivers/boards/common/kinetis/board_mcu_version.c52,\
  \ \n/opt/px4_ws/Firmware/src/drivers/dshot/dshot.cpp202, \n/opt/px4_ws/Firmware/src/drivers/linux_sbus/linux_sbus.cpp256,\
  \ \n/opt/px4_ws/Firmware/src/drivers/snapdragon_pwm_out/snapdragon_pwm_out.cpp84,178,\
  \ \n/opt/px4_ws/Firmware/src/modules/simulator/simulator_mavlink.cpp754, \n/opt/px4_ws/Firmware/src/modules/land_detector/land_detector_main.cpp59,\
  \ \n/opt/px4_ws/Firmware/src/modules/replay/Replay.cpp181, \n/opt/px4_ws/Firmware/src/modules/dataman/dataman.cpp497,618,717,\
  \ \n/opt/px4_ws/Firmware/src/modules/events/temperature_calibration/accel.cpp209,\
  \ \n/opt/px4_ws/Firmware/src/modules/events/temperature_calibration/baro.cpp184,\
  \ \n/opt/px4_ws/Firmware/src/modules/events/temperature_calibration/gyro.cpp193,\
  \ \n/opt/px4_ws/Firmware/src/modules/commander/Commander.cpp4404, \n/opt/px4_ws/Firmware/src/modules/commander/rc_check.cpp59,\
  \ \n/opt/px4_ws/Firmware/src/modules/commander/mag_calibration.cpp115,579, \n/opt/px4_ws/Firmware/src/modules/commander/calibration_routines.cpp731,\
  \ \n/opt/px4_ws/Firmware/src/modules/commander/PreflightCheck.cpp73, \n/opt/px4_ws/Firmware/src/modules/commander/gyro_calibration.cpp241,452,\
  \ \n/opt/px4_ws/Firmware/src/modules/commander/accelerometer_calibration.cpp195,\
  \ \n/opt/px4_ws/Firmware/src/modules/muorb/krait/px4muorb_KraitRpcWrapper.cpp99,\
  \ \n/opt/px4_ws/Firmware/src/modules/mavlink/mavlink_log_handler.cpp370,376,478,540,610,624,\
  \ \n/opt/px4_ws/Firmware/src/modules/mavlink/mavlink_parameters.cpp102,122,128,192,205,210,345,\
  \ \n/opt/px4_ws/Firmware/src/modules/mavlink/mavlink_tests/mavlink_ftp_test.cpp210,\
  \ \n/opt/px4_ws/Firmware/src/modules/mavlink/mavlink_ftp.cpp304,308, \n/opt/px4_ws/Firmware/src/modules/mavlink/mavlink_main.cpp1337,2705,2846,\
  \ \n/opt/px4_ws/Firmware/src/modules/mavlink/mavlink_receiver.cpp2525, \n/opt/px4_ws/Firmware/src/modules/vmount/vmount.cpp179,\
  \ \n/opt/px4_ws/Firmware/src/modules/navigator/geofence.cpp439, \n/opt/px4_ws/Firmware/src/modules/uORB/uORB_tests/uORBTest_UnitTest.cpp143,506,795,\
  \ \n/opt/px4_ws/Firmware/src/modules/uORB/uORBDeviceMaster.cpp62, \n/opt/px4_ws/Firmware/src/modules/uORB/uORBManager.cpp130,348,458,484,509,574,623,\
  \ \n/opt/px4_ws/Firmware/src/modules/logger/util.cpp200,259, \n/opt/px4_ws/Firmware/src/modules/logger/logger.cpp135,671,684,1421,1474,1573,1639,1655,1670,1723,2024,2038,\
  \ \n/opt/px4_ws/Firmware/src/modules/sensors/temperature_compensation.cpp52, \n\
  /opt/px4_ws/Firmware/src/modules/sensors/parameters.cpp49,108, \n/opt/px4_ws/Firmware/src/modules/sensors/voted_sensors_update.cpp205,\
  \ \n/opt/px4_ws/Firmware/src/lib/drivers/device/ringbuffer.cpp393, \n/opt/px4_ws/Firmware/src/lib/drivers/device/posix/I2C.cpp105,\
  \ \n/opt/px4_ws/Firmware/src/lib/drivers/device/posix/SPI.cpp84, \n/opt/px4_ws/Firmware/src/lib/drivers/linux_gpio/linux_gpio.cpp65,66,128,169,205,223,\
  \ \n/opt/px4_ws/Firmware/src/lib/cdev/test/cdevtest_example.cpp59,118,198, \n/opt/px4_ws/Firmware/src/lib/cdev/CDev.cpp90,113,\
  \ \n/opt/px4_ws/Firmware/src/lib/cdev/posix/cdev_platform.cpp188,321, \n/opt/px4_ws/Firmware/src/lib/version/version.c74,160,\
  \ \n/opt/px4_ws/Firmware/src/lib/rc/rc_tests/RCTest.cpp63,164,240,310,371, \n/opt/px4_ws/Firmware/src/lib/mixer/mixer_load.c49,\
  \ \n/opt/px4_ws/Firmware/src/lib/mixer/mixer_multirotor.cpp138, \n/opt/px4_ws/Firmware/src/lib/systemlib/print_load_nuttx.c192,\
  \ \n/opt/px4_ws/Firmware/src/lib/systemlib/otp.c190, \n/opt/px4_ws/Firmware/src/lib/controllib/block/BlockParam.cpp51,58,\
  \ \n/opt/px4_ws/Firmware/src/lib/controllib/block/Block.cpp67,88,109,128,146,164,\
  \ \n/opt/px4_ws/Firmware/msg/templates/urtps/microRTPS_transport.cpp374, \n/opt/px4_ws/Firmware/boards/emlid/navio2/navio_sysfs_rc_in/navio_sysfs_rc_in.cpp111,184,\
  \ \n/opt/px4_ws/Firmware/boards/emlid/navio2/navio_adc/navio_adc.cpp166,221, \n\
  /opt/px4_ws/Firmware/boards/parrot/bebop/flow/dump_pgm.cpp61, \n/opt/px4_ws/Firmware/boards/bitcraze/crazyflie/syslink/syslink_main.cpp331,\
  \ \n/opt/px4_ws/Firmware/platforms/qurt/src/px4/common/main.cpp83,126, \n/opt/px4_ws/Firmware/platforms/nuttx/src/px4/common/console_buffer.cpp66,\
  \ \n/opt/px4_ws/Firmware/platforms/common/px4_getopt.c66, \n/opt/px4_ws/Firmware/platforms/posix/src/px4/common/main.cpp639,\
  \ \n/opt/px4_ws/Firmware/platforms/posix/src/px4/common/px4_daemon/pxh.cpp97, \n\
  /opt/px4_ws/Firmware/platforms/posix/src/px4/common/px4_daemon/server.cpp281, \n\
  /opt/px4_ws/Firmware/platforms/posix/src/px4/common/px4_daemon/client.cpp134, \n\
  /opt/px4_ws/Firmware/platforms/posix/src/px4/common/px4_posix_tasks.cpp82, \n/opt/px4_ws/Firmware/platforms/posix/src/px4/common/px4_sem.cpp148,\
  \ \n"
cwe: None
cve: None
keywords:
- rats
- static analysis
- testing
- triage
- bug
- 'version: v1.10.2'
- 'robot component: PX4'
- components software
system: ''
vendor: null
severity:
  rvss-score: 0
  rvss-vector: ''
  severity-description: ''
  cvss-score: 0
  cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/2659
flaw:
  phase: testing
  specificity: subject-specific
  architectural-location: application-specific
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: 2020-06-29 (12:38)
  detected-by: Alias Robotics
  detected-by-method: testing static
  date-reported: 2020-06-29 (12:38)
  reported-by: Alias Robotics
  reported-by-relationship: automatic
  issue: https://github.com/aliasrobotics/RVD/issues/2659
  reproducibility: always
  trace: ''
  reproduction: See artifacts below (if available)
  reproduction-image: gitlab.com/aliasrobotics/offensive/alurity/pipelines/active/pipeline_px4/-/jobs/615577396/artifacts/download
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: ''
rvd-bot commented 3 years ago

Ticket is still missing triage. Closing for inactivity