You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to report a potential vulnerability in the current version of RT-Thread. As directed, I'm opening an issue here. Please let me know if you plan to ask for a CVE ID in case the vulnerability is confirmed. I'm available if you need further clarifications.
Potential buffer overflow in RT-Thread dfs_v2 romfs filesystem
Even if the assertion is compiled-out in production code, len is not used for the copy operation anyway. Therefore, unless DFS_PATH_MAX is larger than sizeof(d->d_name), this code should be safe.
Impact
If the unchecked input above is confirmed to be attacker-controlled and crossing a security boundary, the impact of the reported buffer overflow vulnerability could range from denial of service to arbitrary code execution.
The text was updated successfully, but these errors were encountered:
Thank you for letting me know! I've opened some other issues related to different vulnerabilities. I'm available if you need any clarifications. For any confirmed vulnerability (including this one), once they're fixed I'm planning to request a CVE ID from Mitre. Let me know in case you prefer to handle this yourself.
0xdea
changed the title
Potential buffer overflow in RT-Thread dfs_v2 romfs filesystem
Buffer overflow in RT-Thread dfs_v2 romfs filesystem
Jan 17, 2024
Hi,
I would like to report a potential vulnerability in the current version of RT-Thread. As directed, I'm opening an issue here. Please let me know if you plan to ask for a CVE ID in case the vulnerability is confirmed. I'm available if you need further clarifications.
Potential buffer overflow in RT-Thread dfs_v2 romfs filesystem
Summary
I spotted a potential buffer overflow vulnerability at the following location in the RT-Thread dfs_v2 romfs filesystem source code:
https://github.com/RT-Thread/rt-thread/blob/master/components/dfs/dfs_v2/filesystems/romfs/dfs_romfs.c#L353-L355
Details
Lack of length check in the
dfs_romfs_getdents()
function could lead to a buffer overflow at the marked line:Please note that dfs_v1 romfs source code at https://github.com/RT-Thread/rt-thread/blob/master/components/dfs/dfs_v1/filesystems/romfs/dfs_romfs.c#L335-L340 is not affected, because the string copy operation is implemented differently:
Even if the assertion is compiled-out in production code,
len
is not used for the copy operation anyway. Therefore, unless DFS_PATH_MAX is larger than sizeof(d->d_name), this code should be safe.Impact
If the unchecked input above is confirmed to be attacker-controlled and crossing a security boundary, the impact of the reported buffer overflow vulnerability could range from denial of service to arbitrary code execution.
The text was updated successfully, but these errors were encountered: