Skip to content

[Bug report] Out-Of-Boundary Bug Found in Nuttx-app examples/gps/gps_main.c #20

New issue
New issue
Open
Open
[Bug report] Out-Of-Boundary Bug Found in Nuttx-app examples/gps/gps_main.c#20
@Pwn9uin

Description

@Pwn9uin
Pwn9uin
opened on Sep 26, 2023

Summary

We identified a out of boundary bug in /platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:69 due to the absence of the limited count (i.e., index variable of line buffer).

we reported this vulnerability to PX4/PX4-Autopilot and PX4/NuttX-apps

Detailed Root Cause

do
  {
    read(fd, &ch, 1);
    if (ch != '\r' && ch != '\n')
      {
        line[cnt++] = ch;
      }
  }
while (ch != '\r' && ch != '\n');

In /platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:64, there is the code which puts the input data from read function to line variable. Even though the line variable is defined its size as MINMEA_MAX_LENGTH which is 256, the cnt doesn’t have any restriction or limitation. so this code will receive the data until ‘\r’ and ‘\n’. If the data does not include '\r' or '\n’ until its size exceeds 80, then out of boundary bug can be triggered.

POC reproduce

Environment setting

we checked this vulnerability actually impact on real device.

In order to apply the NuttX-app/examples/gps code to PX4 pixhawk 6c device, we should set the environment as following.

  • git clone [https://github.com/kosma/minmea.git](https://github.com/kosma/minmea.git) in platforms/nuttx/NuttX/apps/gpsutils/minmea/minmea/
  • git reset --hard db46128e73cee26d6a6eb0482dcba544ee1ea9f5 in platforms/nuttx/NuttX/apps/gpsutils/minmea/minmea/minmea
  • Disable codes upon $(MINMEA_UNPACKDIR): rule in platforms/nuttx/NuttX/apps/gpsutils/minmea/Makefile
  • Set the default of config EXAMPLES_GPS as 'y' in platforms/nuttx/NuttX/apps/examples/gps/Kconfig
  • Add a setting CONFIG_EXAMPLES_GPS=y on default.px4board (e.g.boards/px4/fmu-v6c/default.px4board)
  • Replace #include "gpsutils/minmea.h" to #include "minmea/minmea.h" (platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:32)
  • Replace MINMEA_MAX_LENGTH to MINMEA_MAX_SENTENCE_LENGTH (platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:47)
  • Set /dev/ttyS1 to /dev/ttyS0 (Because the correct gps serial is /dev/ttyS0 for PX4_fmu-v6c board)

And just connect the gps module to the port at /dev/ttyS0 then the module get the gps data and the vulnerable code will be triggered.

POC reproduction video

This video shows that the real pixhawk device can be affected by the vulnerable code which makes it stop.

hang_on_gps_2.mp4

Impact

When people use Nuttx-app/examples/gps, then the Buffer overflow can occur so that the drone can be downed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions