Skip to content

Fix #2707, #2710 Hardening/memsafety and tbl overflow#2709

Open
Not4right wants to merge 5 commits into
nasa:mainfrom
Not4right:hardening/memsafety-and-tbl-overflow
Open

Fix #2707, #2710 Hardening/memsafety and tbl overflow#2709
Not4right wants to merge 5 commits into
nasa:mainfrom
Not4right:hardening/memsafety-and-tbl-overflow

Conversation

@Not4right

@Not4right Not4right commented May 8, 2026

Copy link
Copy Markdown

Describe the contribution

Closes: #2707, #2710

Fixes an unsigned integer overflow in CFE_TBL_ValidateCodecLoadSize plus related memory-safety cleanups. Offset + NumBytes (both from the untrusted file header) is computed as uint32 with no overflow check, then compared to the table size. Crafted input (Offset=0xFFFFFFF0, NumBytes=0x100) wraps to 0xF0, passes the check, and CFE_TBL_LoadContentFromFile writes attacker-controlled bytes to an attacker-controlled offset on 32-bit size_t targets. Masked on x86_64 dev/CI, exposed on every 32-bit flight target.

# File Class
1 cfe_tbl_passthru_codec.c Critical — integer overflow → OOB write
2 cfe_tbl_eds_codec.c Critical — same as #1
3 cfe_tbl_load.c Critical — defense-in-depth on size_t path
4 cfe_tbl_internal.c High — MarkNameAsModified: NULL-deref UB, size_t underflow, banned strcpy
5 cfe_es_mempool.c Medium — log OS_MutSemTake/Give failures (matches SB/FS/TBL convention)
6 cfe_es_cds.c Medium — sprintfsnprintf
7 cfe_sb_priv.c Medium — sprintfsnprintf

Including #2707, #2710

Testing performed

  1. Build: make SIMULATION=native ENABLE_UNIT_TESTS=true prep && make clean.
  2. make test: 115/117 pass. The two failures (osal-core-test, queue-test) reproduce on unpatched main in the same environment POSIX mqueue / signal limits in the container, not regressions. None of the patched files are exercised by either.
  3. Synthetic harness mirroring the validation logic, built 64-bit and -m32:
    • Unpatched: accepts malicious input (bug confirmed).
    • Patched: rejects malicious input, accepts legitimate input. No regression.

A unit test in cfe/modules/tbl/ut-coverage/ covering wrap-around inputs should land with this fix. Happy to add it here or as a follow-up.

Expected behavior changes

  • API Change: none.
  • Behavior Change: malformed table files whose Offset + NumBytes would overflow are now rejected with CFE_TBL_ERR_FILE_TOO_LARGE. MarkNameAsModified is a no-op on buffers too small for the suffix (previously UB). Mempool mutex failures now log to syslog. Nominal flight paths unchanged.

System(s) tested on

  • Hardware: x86_64 (Linux container)
  • OS: Ubuntu 22.04, GCC 11.4 (also -m32 via gcc-multilib)
  • Versions: cFS @ main HEAD at audit time

A 32-bit flight-target build (RTEMS or VxWorks) is recommended before merge — that is the configuration where the original load-path bug actually triggers.

Additional context

Audit scope: memory safety and mission-assurance bugs in cFE core framework (no apps). The matching security issue contains the conceptual reproducer.

Third party code

None.

Contributor Info

[Montather] — Personal

Not4right and others added 5 commits May 8, 2026 18:30
@Not4right Not4right changed the title Hardening/memsafety and tbl overflow Fix #2707 Hardening/memsafety and tbl overflow May 8, 2026
@Not4right Not4right changed the title Fix #2707 Hardening/memsafety and tbl overflow Fix #2707, #2710 Hardening/memsafety and tbl overflow May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants