Closed junwha closed 1 month ago
Thanks for submitting this report. I am able to reproduce this, and confirm the bug exists as described. Triggering the bug depends on the user running a malformed block device driver, as provided with your PoC.
A fix should be available in MicroPython soon.
Please let us know if you plan to register a CVE for this or any other issue you've reported.
(I'd suggest in this case it's not applicable, as any exploit depends on a malformed block device driver and no such driver exists in Micropython.)
Thank you for confirming this issue! I sent you a DM in discord about CVEs.
Hi all, Sorry for burdening you with a lot of bug reports. we found buffer overflow at mp_stream_rw.
Summary
py/stream.c:121
, it checks the unsigned integer size with > 0, thus it lead to integer overflow, and then heap buffer overflowPoC
Problem Statement
vstr->buf
is allocated atpy/stream.c:122
, withsz
1-length.The chunk
vstr->buf
is flown tomp_stream_rw
atpy/stream.c:46
, as a parameterbuf_
, andsize
is 1 here. At the first while looppy/stream.c:60
, it callsio_func
, which islfs1_cache_read
, and theout_sz
is 10.Problem occurs here, because the
size
is 1 andout_sz
is 10, both are mp_uint_t, thussize -= out_sz
makes integer overflow. ⇒ it’s 18446744073709551607 in unix port.and then, because size is still over 0 (because of integer overflow), it calls iofunc again, with the address of `buf + 10
and size
18446744073709551607`then, lfs1_cacheread do memcpy with the
diff
, on the invalid offset `buf + 10`. thus, it is heap-over-flow.Patch
we need to compare out_sz and size, instead of using while (size > 0) on unsigned integer.
Crash log
Thank you for taking the time to review our bug report! :)