Skip to content

Integer underflow in parsed TLV data in boot_save_boot_status

Moderate
d3zd3z published GHSA-8hrv-4cp5-4rg3 Apr 18, 2022

Package

mcuboot (c)

Affected versions

>=1.7.0, <1.10

Patched versions

None

Description

In case MCUBOOT_MEASURED_BOOT is defined the TLV structure is parsed in order to retrieve the information from the image in flash and use it for saving the status information.

Two TLV fields are retrieved by the mcuboot, namely IMAGE_TLV_BOOT_RECORD and IMAGE_TLV_SHA256. Since the length of the TLV field is defined by the TLV itself it is possible that length record_len in IMAGE_TLV_BOOT_RECORD is reasonably arbitrary.

The TLV data in the image stored in flash cannot be fully trusted since there is no authentication of the TLV data performed by the mcuboot bootloader. In case of an external SPI flash the tlv data can be easily modified by the attacker as well.

The value record_len is checked to be not larger than the receiving buffer buf, but not checked if it is smaller than the expected length.

Finally an offset is computed by the following code:

    /* Update the measurement value (hash of the image) data item in the
     * boot record. It is always the last item in the structure to make
     * it easy to calculate its position.
     * The image hash is computed over the image header, the image itself and
     * the protected TLV area (which should already include the image hash as
     * part of the boot record TLV). For this reason this field has been
     * filled with zeros during the image signing process.
     */
    offset = record_len - sizeof(image_hash);
    /* The size of 'buf' has already been checked when
     * the BOOT_RECORD TLV was read, it won't overflow.
     */
    memcpy(buf + offset, image_hash, sizeof(image_hash));

In case record_len is smaller than sizeof(image_hash) integer underflow will take place resulting in a negative value interpreted as an unsigned value. Once the offset is added to the pointer buff the destination pointer value will overflow and up to 31 bytes of attacker controlled data will be written on the stack out of bounds, resulting in the stack memory corruption and depending on the stack layout can lead to an arbitrary code execution.

Patches

Workarounds

References

For more information

If you have any questions or comments about this advisory:

embargo: 2022-01-15

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Physical
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVE ID

CVE-2021-3890

Weaknesses

Credits