| Título | NASA cFS 7.0.0 Integer overflow in CFE_TBL_ValidateCodecLoadSize bypasses boun |
|---|
| Descripción | Integer overflow in CFE_TBL_ValidateCodecLoadSize() bypasses the table load bounds check on 32-bit targets. The function computes ProjectedSize = Offset + NumBytes using uint32 arithmetic. When the sum exceeds 2^32, the result wraps to a small value that passes the bounds check. The original unwrapped Offset is then used for the destination pointer computation in CFE_TBL_LoadContentFromFile(), enabling out-of-bounds memory writes on 32-bit flight processors (LEON3, RAD750).
This is mitigated on 64-bit targets where pointer arithmetic does not wrap at 2^32.
To Reproduce
Craft a table load file with Offset=0xFFFFFF00 and NumBytes=0x200 targeting a 256-byte table
The uint32 addition wraps: 0xFFFFFF00 + 0x200 = 0x100 (256), which passes the ProjectedSize > ActualSize check
The subsequent memcpy uses the original Offset (0xFFFFFF00) for the destination pointer, writing 512 bytes 4GB beyond the table buffer
On 32-bit flight hardware, this wraps into other memory regions — confirmed with three overflow variants
Proof-of-concept source and output are available upon request.
Expected behavior
The bounds-check addition should be performed in 64-bit arithmetic to prevent wraparound, regardless of target architecture.
Code snips
cfe/modules/tbl/fsw/src/cfe_tbl_passthru_codec.c (line 163):
uint32 ProjectedSize;
ProjectedSize = HeaderPtr->Offset + HeaderPtr->NumBytes; // uint32 wraps at 2^32
if (ProjectedSize > ActualSize)
{
/* reject as too large */
}
Example overflow:
Offset = 0xFFFFFF00 (4,294,967,040)
NumBytes = 0x00000200 (512)
True sum = 0x100000100 (4,294,967,552)
uint32 wrap = 0x00000100 (256) <- passes check for TableSize=256
System observed on:
Hardware: x86-64 (arithmetic overflow demonstrated via uint32_t; exploitable OOB write requires 32-bit address space as on LEON3/RAD750)
OS: Linux (Ubuntu 22.04)
Versions: cFS Draco release, commit 83c735e
Additional context
The primary cFS deployment targets are 32-bit flight processors (LEON3, RAD750) where this vulnerability is exploitable. The fix (casting to uint64_t before addition) is trivial and has zero impact on 64-bit targets. Requires ground operator command authority to issue table load commands. |
|---|
| Fuente | ⚠️ https://github.com/nasa/cFS/issues/954 |
|---|
| Usuario | 0rbitingZer0 (UID 96146) |
|---|
| Sumisión | 2026-03-18 01:33 (hace 19 días) |
|---|
| Moderación | 2026-04-03 09:51 (16 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 355080 [NASA cFS hasta 7.0.0 en 32-bit cfe_tbl_passthru_codec.c CFE_TBL_ValidateCodecLoadSize desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|