BF Specification of CVE-2022-34835 Stack Buffer Overflow in Das U-Boot through 2022.07-rc5

../../../../BF/images/BFCVE/CVE-2022-34835(simple)-0.png
Erroneous declaration of ‘nbytes’ as int leads to wrong argument type for the uint ‘length’ in ‘nbytes = length’, leading to a flipped sign, and under range negative ‘linebytes’, flipped and truncated to a large integer, allowing pointer reposition over bounds, which, when used in i2c_transfer() leads to stack buffer overflow. If exploited, this can lead to denial of service – program crash, and possibly arbitrary code execution.

//generated// Erroneous Code (in ‘do_i2c_md()’) to Simple Declare int object Object (’nbytes’) Primitive (int, while should be uint) in Codebase (u-boot/cmd/i2c.c:#L473) Bare-Metal leads to Wrong Type (’nbytes’)

, which propagates to Wrong Type (in ’nbytes = length’) Pass Out Coerce (’length’ from ‘=’ operator, int expected) Resolved (’length’) Numeric (uint parsed from ‘i2c md 0 0 80000100’ by do_i2c_md()) Primitive (uint) Codebase (u-boot/cmd/i2c.c#L531) in Bare-Metal (0x80000100 is negative on 32 bit-platform) resulting in Flipped Sign (’length’)

, which propagates to Wrong Argument (in ’linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes’) Operator Evaluate (>) (greater-than ‘>’) Resolved (nbytes) Numeric (negative) Primitive Codebase (u-boot/cmd/i2c.c#L536) in Bare-Metal (linebytes is negative instead f 16) resulting in Under Range (negative ’linebytes’ instead of 16)

, which propagates to Under Range (in ’nx_i2c_read(uint len)’) Pass In Coerce (negative ’len’) (uint expected) Resolved Numeric (negative 0x80000100) Primitive Codebase (u-boot/drivers/i2c/nx_i2c.c#L472-#L473) in Bare-Metal resulting in Flipped Sign (unsigned ’len’)

, which propagates to Flipped Sign (in ‘i2c_transfer()’) Pass In Coerce (unsigned ’len’) (ushort expected) Resolved Numeric (uint) Primitive Codebase (u-boot/drivers/i2c/nx_i2c.c#L498-#L499) in Bare-Metal (may crash if not truncated by driver) resulting in Truncated Value (large int ’len’)

, which propagates to Wrong Size (in ‘data[i++] = readb(&i2c->iicds);’) Sequential Reposition (pointer) Stack Used (too large for the 16-bit buffer at hand) Codebase (u-boot/drivers/i2c/nx_i2c.c#L499) in Bare-Metal resulting in Over Bounds Pointer (‘i’)

, which propagates to Over Bounds Pointer (in ‘data[i++] = readb(&i2c->iicds);’) Sequential Write (object) Stack Used Codebase (u-boot/drivers/i2c/nx_i2c.c#L449) in Bare-Metal resulting in Buffer Overflow (‘data[i++] ‘)

. If exploited this can lead to ACE (everything could be lost) or DOS (availability loss).

vendor:product: denx:u-boot


Bug Report


Code with Bug


Code with Fix


NVD Entry

ClassDefinition
DCLDeclaration (DCL) class – An object, a function, a type, or a namespace is declared or defined improperly.
TCVType Conversion (TCV) class – Data are converted or coerced into other type improperly.
TCMType Computation (TCM) class – An arithmetic expression (over numbers, strings, or pointers) is calculated improperly, or a boolean condition is evaluated improperly.
MADMemory Addressing (MAD) class – The pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSMemory Use (MUS) class – An object is initialized, read, written, or cleared improperly.
OperationDefinition
DeclareDeclare operation – Specify the name and type of an object; the name, return type, and parameters of a function; or the name and type parameters of a type.
CoerceCoerce operation – Implicitly (forced by the Type System) convert the value of a passed in/out argument or the return into the corresponding parameter or return data type. (Type Coercion is known also as Type Juggling.)
EvaluateEvaluate operation – Find the result of a Boolean condition (incl. comparison).
RepositionReposition operation – Change the pointer to another position inside its object.
WriteWrite operation – Change the data value of an object to another meaningful value.
Cause/ConsequenceDefinition
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Type Error/FaultType Fault/Error type – The the set or range of allowed values is wrong or the operations allowed on them are wrong.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
Data Error/FaultData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value
   Flipped SignFlipped Sign fault/error – Sign bit is overwritten from type related calculation.
   Wrong ArgumentWrong Argument fault/error – Inaccurate input data value, i.e., non-verified for harmed semantics.
   Under RangeUnder Range fault/error – Data value is smaller than type's lower range.
   Truncated ValueTruncated Value fault/error – Rightmost bits of value that won’t fit type size are cut off.
   Wrong SizeWrong Size fault/error – The value used as size does not match the actual size of the object (e.g., to restrict pointer repositioning or index increment/decrement in a repetition statement).
Address Error/FaultAddress Fault/Error type – The object address in use is wrong.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowBuffer Overflow exploitable error – Writing above the upper bound of an object – aka Buffer Over-Write.
Operation AttributeDefinition
MechanismMechanism operation attribute type – Shows how the buggy/faulty operation code is performed.
   SimpleSimple operation attribute – Non-polymorphic.
   Pass OutPass Out operation attribute – Supplying "out" or "in/out" arguments' data values or a return value to a function/ operator.
   OperatorOperator operation attribute – A function with a symbolic name that implements a mathematical, relational or logical operation.
   Pass InPass In operation attribute – Supplying "in" arguments' data values to a function/ operator.
   SequentialSequential operation attribute – The operation is performed after iterating over the object elements.
Source CodeSource Code operation attribute type – Shows where the buggy/faulty operation code is in the program – in what kind of software.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
Execution SpaceExecution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level.
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operand AttributeDefinition
Name KindName Kind operand attribute type – Shows what the entity with this name is.
   ObjectObject operand attribute – A memory region used to store data.
Type KindType Kind operand attribute type – Shows what the data type composition is.
   PrimitivePrimitive operand attribute – A scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types.
Name StateName State operand attribute type – Shows at what stage the entity name is.
   ResolvedResolved operand attribute – The name scope is known to the Type System.
Data KindData Kind operand attribute type – Shows what the data value is.
   NumericNumeric operand attribute – A number – a sequence of digits.
Address StateAddress State operand attribute type - State operand attribute type – Shows where the address is in the memory layout.
   StackStack operand attribute – The object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
Size KindSize Kind operand attribute type – Shows what the limit for traversal of the object is.
   UsedUsed operand attribute – A supplied size for an object.