QUERY · ISSUE

heap-buffer-overflow [micropython@a5bdd39127]

openby zeroone-kropened 2024-01-15updated 2025-04-12

bug

Hi all, I'm Wonil Jang, from the research group S2Lab in UNIST.
We found a heap buffer overflow bug from micropython by our custom tool. The detailed information is as follows.

Environment

OS: Ubuntu 22.04
Version: micropython at commit ce42c9e
Build: unix ports
Bug Type: heap buffer overflow
Bug Location: py/binary.c:155
Credits: Junwha Hong and Wonil Jang, from S2Lab in UNIST

PoC

Index out-of-range (Normal behavior)

import gc

try:
    import os
except (ImportError, AttributeError):
    print("SKIP")
    raise SystemExit

class RAMBlockDevice:
    ERASE_BLOCK_SIZE = 7

    def __init__(self, blocks):
        print(blocks)
        self.data = bytearray(blocks * self.ERASE_BLOCK_SIZE)

    def readblocks(self, block, buf, off):
        addr = block * self.ERASE_BLOCK_SIZE + off
        for i in range(len(buf)):
            buf[i] = self.data[addr + i]

    def writeblocks(self, block, buf, off):
        print(buf[len(buf)])

    def ioctl(self, op, arg):
        if op == 4:  # block count
            return len(self.data) // self.ERASE_BLOCK_SIZE
        if op == 5:  # block size
            return self.ERASE_BLOCK_SIZE
        if op == 6:  # erase block
            return 0

bdev = RAMBlockDevice(30)
os.VfsLfs2.mkfs(bdev)

BOF (Wrong behavior)

import gc

try:
    import os
except (ImportError, AttributeError):
    print("SKIP")
    raise SystemExit

class RAMBlockDevice:
    ERASE_BLOCK_SIZE = 7

    def __init__(self, blocks):
        print(blocks)
        self.data = bytearray(blocks * self.ERASE_BLOCK_SIZE)

    def readblocks(self, block, buf, off):
        addr = block * self.ERASE_BLOCK_SIZE + off
        for i in range(len(buf)):
            buf[i] = self.data[addr + i]

    def writeblocks(self, block, buf, off):
        print(buf[len(buf)-1])

    def ioctl(self, op, arg):
        if op == 4:  # block count
            return len(self.data) // self.ERASE_BLOCK_SIZE
        if op == 5:  # block size
            return self.ERASE_BLOCK_SIZE
        if op == 6:  # erase block
            return 0

bdev = RAMBlockDevice(30)
os.VfsLfs2.mkfs(bdev)

The difference is only ERASE_BLOCK_SIZE is under 8.

config->cache_size = MIN(config->block_size, (4 * MAX(read_size, prog_size)));
config->lookahead_size = lookahead;
config->read_buffer = m_new(uint8_t, config->cache_size);
config->prog_buffer = m_new(uint8_t, config->cache_size);

Above code, the read_size is 32, config_size is 32 and block_size is 7. then, the cache_size becomes MIN(7, 128) = 7.

#0  lfs2_init (lfs2=0x7fffffffdc68, cfg=<optimized out>) at ../../lib/littlefs/lfs2.c:4170
#1  lfs2_rawformat (lfs2=0x7fffffffdc68, cfg=<optimized out>) at ../../lib/littlefs/lfs2.c:4260
#2  lfs2_format (lfs2=lfs2@entry=0x7fffffffdc68, cfg=cfg@entry=0x7fffffffdbf8) at ../../lib/littlefs/lfs2.c:5775
#3  0x00005555557cdf82 in mp_vfs_lfs2_mkfs (n_args=<optimized out>, pos_args=<optimized out>,  kw_args=<optimized out>) at ../../extmod/vfs_lfsx.c:150

// setup program cache
if (lfs2->cfg->prog_buffer) {
    lfs2->pcache.buffer = lfs2->cfg->prog_buffer;
} else {
...
}

Then, at lfs2_init, the prog_buffer was saved as lfs2->pcache.buffer

static int lfs2_bd_flush(lfs2_t *lfs2,
        lfs2_cache_t *pcache, lfs2_cache_t *rcache, bool validate) {
    if (pcache->block != LFS2_BLOCK_NULL && pcache->block != LFS2_BLOCK_INLINE) {
        LFS2_ASSERT(pcache->block < lfs2->block_count);
        lfs2_size_t diff = lfs2_alignup(pcache->size, lfs2->cfg->prog_size);
        int err = lfs2->cfg->prog(lfs2->cfg, pcache->block,
                pcache->off, pcache->buffer, diff);

At lfs2_bd_flush function lib/littlefs/lfs2.c:180, it progresses with pcache_size.

int mp_vfs_blockdev_write_ext(mp_vfs_blockdev_t *self, size_t block_num, size_t block_off, size_t len, const uint8_t *buf) {
    if (self->writeblocks[0] == MP_OBJ_NULL) {
        // read-only block device
        return -MP_EROFS;
    }

    mp_obj_array_t ar = {{&mp_type_bytearray}, BYTEARRAY_TYPECODE, 0, len, (void *)buf};
    self->writeblocks[2] = MP_OBJ_NEW_SMALL_INT(block_num);
    self->writeblocks[3] = MP_OBJ_FROM_PTR(&ar);
    self->writeblocks[4] = MP_OBJ_NEW_SMALL_INT(block_off);
    mp_obj_t ret = mp_call_method_n_kw(3, 0, self->writeblocks);
    if (ret == mp_const_none) {
        return 0;
    } else {
        return MP_OBJ_SMALL_INT_VALUE(ret);
    }
}

mp_vfs_blockdev_write_ext function is called with following arguments.

block_num: ?
block_off: 0
len: diff=32
buf: prog_buf (pcache→buffer)

Above code, the bytearray was constructed with wrong information! Real buffer_size is 7. but, given buffer size is 32.
In summary, The index out-of-bound over len(buf)-1 could be captured, but not for the under len(buf)-1.

Crash Log

    #0 0x55c5a177e7cf in mp_binary_get_val_array /home/qbit/testing-2023/micropython/ports/unix/../../py/binary.c:155:19
    #1 0x55c5a173bce7 in mp_obj_subscr /home/qbit/testing-2023/micropython/ports/unix/../../py/obj.c:536:24
    #2 0x55c5a178ca28 in mp_execute_bytecode /home/qbit/testing-2023/micropython/ports/unix/../../py/vm.c:446:21
    #3 0x55c5a174c84b in fun_bc_call /home/qbit/testing-2023/micropython/ports/unix/../../py/objfun.c:273:42
    #4 0x55c5a17d7e41 in mp_vfs_blockdev_write_ext /home/qbit/testing-2023/micropython/ports/unix/../../extmod/vfs_blockdev.c:105:20
    #5 0x55c5a184261e in lfs2_bd_flush /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:181:19
    #6 0x55c5a184261e in lfs2_bd_prog /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:251:27
    #7 0x55c5a184261e in lfs2_dir_commitprog /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:1555:15
    #8 0x55c5a1842ff1 in lfs2_dir_compact /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:1954:19
    #9 0x55c5a1836183 in lfs2_dir_splittingcompact /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:2174:12
    #10 0x55c5a1836183 in lfs2_dir_relocatingcommit /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:2292:13
    #11 0x55c5a182f575 in lfs2_dir_orphaningcommit /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:2373:17
    #12 0x55c5a181f16a in lfs2_dir_commit /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:2545:19
    #13 0x55c5a181f16a in lfs2_rawformat /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:4293:15
    #14 0x55c5a181f16a in lfs2_format /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs2.c:5775:11
    #15 0x55c5a17dff81 in mp_vfs_lfs2_mkfs /home/qbit/testing-2023/micropython/ports/unix/../../extmod/vfs_lfsx.c:150:15
    #16 0x55c5a174bd98 in fun_builtin_var_call /home/qbit/testing-2023/micropython/ports/unix/../../py/objfun.c:114:16
    #17 0x55c5a178d59e in mp_execute_bytecode /home/qbit/testing-2023/micropython/ports/unix/../../py/vm.c:1042:21
    #18 0x55c5a174c84b in fun_bc_call /home/qbit/testing-2023/micropython/ports/unix/../../py/objfun.c:273:42
    #19 0x55c5a178c4b4 in mp_execute_bytecode /home/qbit/testing-2023/micropython/ports/unix/../../py/vm.c:957:21
    #20 0x55c5a174c84b in fun_bc_call /home/qbit/testing-2023/micropython/ports/unix/../../py/objfun.c:273:42
    #21 0x55c5a1911557 in execute_from_lexer /home/qbit/testing-2023/micropython/ports/unix/main.c:161:13
    #22 0x55c5a19100b5 in do_file /home/qbit/testing-2023/micropython/ports/unix/main.c:310:12
    #23 0x55c5a19100b5 in main_ /home/qbit/testing-2023/micropython/ports/unix/main.c:722:19
    #24 0x7f0d0ec29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #25 0x7f0d0ec29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #26 0x55c5a15a5a14 in _start (/home/qbit/testing-2023/micropython/ports/unix/build-standard/micropython+0x3fa14)

Thank you for reading bug report!!

CANDIDATE · ISSUE

heap-buffer-overflow: from integer overflow at mp_stream_rw

closedby junwhaopened 2023-11-22updated 2024-09-26

bug

Hi all, Sorry for burdening you with a lot of bug reports. we found buffer overflow at mp_stream_rw.

Summary

OS: Ubuntu 22.04
version: micropython@a00c9d56db775ee5fc14c2db60eb07bab8e872dd
port: unix
contribution: Junwha Hong and Wonil Jang @S2-Lab, UNIST
description:
- at mp_stream_rw py/stream.c:121 , it checks the unsigned integer size with > 0, thus it lead to integer overflow, and then heap buffer overflow

PoC

import os

os.VfsLfs1
os.VfsLfs2

class RAMBlockDevice:
    ERASE_BLOCK_SIZE = 512

    def __init__(self, blocks):
        self.data = bytearray(blocks * self.ERASE_BLOCK_SIZE)
        self.ret = 0

    def readblocks(self, block, buf, off):
        addr = block * self.ERASE_BLOCK_SIZE + off
        for i in range(len(buf)):
            buf[i] = self.data[addr + i]
        return self.ret

    def writeblocks(self, block, buf, off):
        addr = block * self.ERASE_BLOCK_SIZE + off
        for i in range(len(buf)):
            self.data[addr + i] = buf[i]
        return self.ret

    def ioctl(self, op, arg):
        if op == 4:  # block count
            return len(self.data) // self.ERASE_BLOCK_SIZE
        if op == 5:  # block size
            return self.ERASE_BLOCK_SIZE
        if op == 6:  # erase block
            return 0

def create_vfs(bdev, vfs_class):
    bdev.ret -= 0
    vfs_class.mkfs(bdev)
    vfs = vfs_class(bdev)
    with vfs.open("f", "w") as f:
        f.write("test")
    return vfs

bdev = RAMBlockDevice(8)
vfs = create_vfs(bdev, os.VfsLfs1)
f = vfs.open("f", "r")
bdev.ret = 10  # EIO
f.read(1)

Problem Statement

vstr->buf is allocated at py/stream.c:122, with sz 1-length.

STATIC mp_obj_t stream_read_generic(size_t n_args, const mp_obj_t *args, byte flags) {
        vstr_init(&vstr, sz);

The chunk vstr->buf is flown to mp_stream_rw at py/stream.c:46, as a parameter buf_ , and size is 1 here. At the first while loop py/stream.c:60, it calls io_func, which is lfs1_cache_read, and the out_sz is 10.

Problem occurs here, because the size is 1 and out_sz is 10, both are mp_uint_t, thus size -= out_sz makes integer overflow. ⇒ it’s 18446744073709551607 in unix port.

mp_uint_t mp_stream_rw(mp_obj_t stream, void *buf_, mp_uint_t size, int *errcode, byte flags) {
    byte *buf = buf_;
    typedef mp_uint_t (*io_func_t)(mp_obj_t obj, void *buf, mp_uint_t size, int *errcode);
    io_func_t io_func;
    const mp_stream_p_t *stream_p = mp_get_stream(stream);
    if (flags & MP_STREAM_RW_WRITE) {
        io_func = (io_func_t)stream_p->write;
    } else {
        io_func = stream_p->read;
    }

    *errcode = 0;
    mp_uint_t done = 0;
    while (size > 0) {
        mp_uint_t out_sz = io_func(stream, buf, size, errcode);
        // For read, out_sz == 0 means EOF. For write, it's unspecified
        // what it means, but we don't make any progress, so returning
        // is still the best option.
        if (out_sz == 0) {
            return done;
        }
        if (out_sz == MP_STREAM_ERROR) {
            // If we read something before getting EAGAIN, don't leak it
            if (mp_is_nonblocking_error(*errcode) && done != 0) {
                *errcode = 0;
            }
            return done;
        }
        if (flags & MP_STREAM_RW_ONCE) {
            return out_sz;
        }

        buf += out_sz;
        size -= out_sz;
        done += out_sz;
    }
    return done;
}

and then, because size is still over 0 (because of integer overflow), it calls io_func again, with the address of buf_ + 10 and size 18446744073709551607

then, lfs1_cache_read do memcpy with the diff, on the invalid offset buf_ + 10. thus, it is heap-over-flow.

static int lfs1_cache_read(lfs1_t *lfs1, lfs1_cache_t *rcache,
        const lfs1_cache_t *pcache, lfs1_block_t block,
        lfs1_off_t off, void *buffer, lfs1_size_t size) {
    uint8_t *data = buffer;
    LFS1_ASSERT(block < lfs1->cfg->block_count);

    while (size > 0) {
        if (pcache && block == pcache->block && off >= pcache->off &&
                off < pcache->off + lfs1->cfg->prog_size) {
            // is already in pcache?
            lfs1_size_t diff = lfs1_min(size,
                    lfs1->cfg->prog_size - (off-pcache->off));
            memcpy(data, &pcache->buffer[off-pcache->off], diff);

Patch

we need to compare out_sz and size, instead of using while (size > 0) on unsigned integer.

Crash log

#1 0x555555803061 in lfs1_cache_read /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs1.c:39:13
#2 0x555555803061 in lfs1_file_read /home/qbit/testing-2023/micropython/ports/unix/../../lib/littlefs/lfs1.c:1611:19
#3 0x5555557d3088 in mp_vfs_lfs1_file_read /home/qbit/testing-2023/micropython/ports/unix/../../extmod/vfs_lfsx_file.c:129:28
#4 0x555555772e43 in mp_stream_rw /home/qbit/testing-2023/micropython/ports/unix/../../py/stream.c:60:28
#5 0x555555772e43 in stream_read_generic /home/qbit/testing-2023/micropython/ports/unix/../../py/stream.c:128:32
#6 0x555555782c1c in mp_execute_bytecode /home/qbit/testing-2023/micropython/ports/unix/../../py/vm.c:1042:21
#7 0x55555574261b in fun_bc_call /home/qbit/testing-2023/micropython/ports/unix/../../py/objfun.c:273:42
#8 0x555555781b2c in mp_execute_bytecode /home/qbit/testing-2023/micropython/ports/unix/../../py/vm.c:957:21
#9 0x55555574261b in fun_bc_call /home/qbit/testing-2023/micropython/ports/unix/../../py/objfun.c:273:42
#10 0x555555903f3d in execute_from_lexer /home/qbit/testing-2023/micropython/ports/unix/main.c:161:13
#11 0x555555902ad5 in do_file /home/qbit/testing-2023/micropython/ports/unix/main.c:310:12
#12 0x555555902ad5 in main_ /home/qbit/testing-2023/micropython/ports/unix/main.c:722:19
#13 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#15 0x555555593a34 in _start (/home/qbit/testing-2023/micropython/ports/unix/build-standard/micropython+0x3fa34)

Thank you for taking the time to review our bug report! :)