Fix #2707, #2710 Hardening/memsafety and tbl overflow#2709
Open
Not4right wants to merge 5 commits into
Open
Conversation
See PR description for details.
…flow [hardening] TBL load integer overflow + memory-safety cleanups
…-tbl-overflow "[hardening] TBL load integer overflow + memory-safety cleanups"
See PR description for details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe the contribution
Closes: #2707, #2710
Fixes an unsigned integer overflow in
CFE_TBL_ValidateCodecLoadSizeplus related memory-safety cleanups.Offset + NumBytes(both from the untrusted file header) is computed asuint32with no overflow check, then compared to the table size. Crafted input (Offset=0xFFFFFFF0, NumBytes=0x100) wraps to0xF0, passes the check, andCFE_TBL_LoadContentFromFilewrites attacker-controlled bytes to an attacker-controlled offset on 32-bitsize_ttargets. Masked on x86_64 dev/CI, exposed on every 32-bit flight target.cfe_tbl_passthru_codec.ccfe_tbl_eds_codec.ccfe_tbl_load.csize_tpathcfe_tbl_internal.cMarkNameAsModified: NULL-deref UB,size_tunderflow, bannedstrcpycfe_es_mempool.cOS_MutSemTake/Givefailures (matches SB/FS/TBL convention)cfe_es_cds.csprintf→snprintfcfe_sb_priv.csprintf→snprintfIncluding #2707, #2710
Testing performed
make SIMULATION=native ENABLE_UNIT_TESTS=true prep && makeclean.make test: 115/117 pass. The two failures (osal-core-test,queue-test) reproduce on unpatchedmainin the same environment POSIX mqueue / signal limits in the container, not regressions. None of the patched files are exercised by either.-m32:A unit test in
cfe/modules/tbl/ut-coverage/covering wrap-around inputs should land with this fix. Happy to add it here or as a follow-up.Expected behavior changes
Offset + NumByteswould overflow are now rejected withCFE_TBL_ERR_FILE_TOO_LARGE.MarkNameAsModifiedis a no-op on buffers too small for the suffix (previously UB). Mempool mutex failures now log to syslog. Nominal flight paths unchanged.System(s) tested on
-m32viagcc-multilib)mainHEAD at audit timeA 32-bit flight-target build (RTEMS or VxWorks) is recommended before merge — that is the configuration where the original load-path bug actually triggers.
Additional context
Audit scope: memory safety and mission-assurance bugs in cFE core framework (no apps). The matching security issue contains the conceptual reproducer.
Third party code
None.
Contributor Info
[Montather] — Personal