catalinv-ncc opened a new issue, #19417:
URL: https://github.com/apache/nuttx/issues/19417

   ### Description / Steps to reproduce the issue
   
   ## Impact
   
   An attacker able to force an unsuccessful RFID read operation can force the 
kernel to disclose kernel stack information. The called may be able to use the 
stack content information as part of a more complex attack that can allow 
privilege escalation.
   
   ## Description
   
   The *contactless* kernel driver relies on the read operation implemented by 
`mfrc522_read()`:
   
   ```c
   static const struct file_operations g_mfrc522fops =
   {
     mfrc522_open,   /* open */
     mfrc522_close,  /* close */
     [[[[mfrc522_read,   /* read */]]]]
   ...
   };
   ```
   
   The read operation uses `mfrc522_picc_select()` which has over 400 lines of 
code and 9 early `return` statements. An attacker able to inject bad data on 
the SPI bus between the NuttX-powered host and the MFRC522 IC may be able cause 
one of the tests in `mfrc522_picc_select()` to fail. If the call fails, the 
uninitialized kernel stack contents of `uid` (a 12-byte `struct picc_uid_s`) 
are returned to the user space caller.
   
   ```c
   static ssize_t [[[[mfrc522_read]]]](FAR struct file *filep, [[[[FAR char 
*buffer]]]], size_t buflen)
   {
   ...
     [[[[FAR struct picc_uid_s uid;]]]]
   ...
     /* Now read the UID */
     [[[[mfrc522_picc_select(dev, &uid, 0);]]]]
   
     if ([[[[uid.sak != PICC_TYPE_NOT_COMPLETE]]]])
       {
         /* TODO: double/triple UID */
   
         if (buffer)
           {
             [[[[snprintf(buffer, buflen, "0x%02X%02X%02X%02X",
                      uid.uid_data[0], uid.uid_data[1],
                      uid.uid_data[2], uid.uid_data[3]);]]]]
             return buflen;
           }
       }
   
     return OK;
   }
   ```
   
   Since the `mfrc522_picc_select()` may fail silently, `uid` is left 
uninitialized, specifically `uid.sak`. As such, the verification `uid.sak != 
PICC_TYPE_NOT_COMPLETE` is likely to be true and the content of the kernel 
stack is leaked to the user space caller.
   
   ```c
   [[[[int]]]] mfrc522_picc_select(FAR struct mfrc522_dev_s *dev, FAR struct 
picc_uid_s *uid, uint8_t validbits)
   {
   ...
         else
           {
             uid_complete = true;
             [[[[uid->sak = resp_buf[0];]]]]
           }
       }
   
     /* Set correct uid->size */
     uid->size = 3 * cascade_level + 1;
     return OK;
   }
   ```
   
   ## Recommendation
   
   * Before `snprintf()` reads `uid`, it must be initialized: `FAR struct 
picc_uid_s uid = 0;`
   * Function `mfrc522_read()` must check the `mfrc522_picc_select()` return 
code, and propagate the error.
   
   ### On which OS does this issue occur?
   
   [OS: Linux]
   
   ### What is the version of your OS?
   
   Ubuntu 24.04
   
   ### NuttX Version
   
   master
   
   ### Issue Architecture
   
   [Arch: all]
   
   ### Issue Area
   
   [Area: Drivers]
   
   ### Host information
   
   _No response_
   
   ### Verification
   
   - [x] I have verified before submitting the report.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to