You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We identified a out of boundary bug in /platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:69 due to the absence of the limited count (i.e., index variable of line buffer).
we reported this vulnerability to PX4/PX4-Autopilot and PX4/NuttX-apps
Detailed Root Cause
do
{
read(fd, &ch, 1);
if (ch != '\r' && ch != '\n')
{
line[cnt++] = ch;
}
}
while (ch != '\r' && ch != '\n');
In /platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:64, there is the code which puts the input data from read function to line variable. Even though the line variable is defined its size as MINMEA_MAX_LENGTH which is 256, the cnt doesn’t have any restriction or limitation. so this code will receive the data until ‘\r’ and ‘\n’. If the data does not include '\r' or '\n’ until its size exceeds 80, then out of boundary bug can be triggered.
POC reproduce
Environment setting
we checked this vulnerability actually impact on real device.
In order to apply the NuttX-app/examples/gps code to PX4 pixhawk 6c device, we should set the environment as following.
git clone [https://github.com/kosma/minmea.git](https://github.com/kosma/minmea.git) in platforms/nuttx/NuttX/apps/gpsutils/minmea/minmea/
git reset --hard db46128e73cee26d6a6eb0482dcba544ee1ea9f5 in platforms/nuttx/NuttX/apps/gpsutils/minmea/minmea/minmea
Disable codes upon $(MINMEA_UNPACKDIR): rule in platforms/nuttx/NuttX/apps/gpsutils/minmea/Makefile
Set the default of config EXAMPLES_GPS as 'y' in platforms/nuttx/NuttX/apps/examples/gps/Kconfig
Add a setting CONFIG_EXAMPLES_GPS=y on default.px4board (e.g.boards/px4/fmu-v6c/default.px4board)
Replace #include "gpsutils/minmea.h" to #include "minmea/minmea.h" (platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:32)
Replace MINMEA_MAX_LENGTH to MINMEA_MAX_SENTENCE_LENGTH (platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:47)
Set /dev/ttyS1 to /dev/ttyS0 (Because the correct gps serial is /dev/ttyS0 for PX4_fmu-v6c board)
And just connect the gps module to the port at /dev/ttyS0 then the module get the gps data and the vulnerable code will be triggered.
POC reproduction video
This video shows that the real pixhawk device can be affected by the vulnerable code which makes it stop.
hang_on_gps_2.mp4
Impact
When people use Nuttx-app/examples/gps, then the Buffer overflow can occur so that the drone can be downed.
The text was updated successfully, but these errors were encountered:
Summary
We identified a out of boundary bug in /platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:69 due to the absence of the limited count (i.e., index variable of line buffer).
we reported this vulnerability to PX4/PX4-Autopilot and PX4/NuttX-apps
Detailed Root Cause
In /platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:64, there is the code which puts the input data from read function to line variable. Even though the line variable is defined its size as MINMEA_MAX_LENGTH which is 256, the cnt doesn’t have any restriction or limitation. so this code will receive the data until ‘\r’ and ‘\n’. If the data does not include '\r' or '\n’ until its size exceeds 80, then out of boundary bug can be triggered.
POC reproduce
Environment setting
we checked this vulnerability actually impact on real device.
In order to apply the NuttX-app/examples/gps code to PX4 pixhawk 6c device, we should set the environment as following.
git clone [https://github.com/kosma/minmea.git](https://github.com/kosma/minmea.git)inplatforms/nuttx/NuttX/apps/gpsutils/minmea/minmea/git reset --hard db46128e73cee26d6a6eb0482dcba544ee1ea9f5inplatforms/nuttx/NuttX/apps/gpsutils/minmea/minmea/minmea$(MINMEA_UNPACKDIR):rule inplatforms/nuttx/NuttX/apps/gpsutils/minmea/Makefileconfig EXAMPLES_GPSas 'y' inplatforms/nuttx/NuttX/apps/examples/gps/KconfigCONFIG_EXAMPLES_GPS=yon default.px4board (e.g.boards/px4/fmu-v6c/default.px4board)#include "gpsutils/minmea.h"to#include "minmea/minmea.h"(platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:32)MINMEA_MAX_LENGTHtoMINMEA_MAX_SENTENCE_LENGTH(platforms/nuttx/NuttX/apps/examples/gps/gps_main.c:47)/dev/ttyS1to/dev/ttyS0(Because the correct gps serial is /dev/ttyS0 for PX4_fmu-v6c board)And just connect the gps module to the port at /dev/ttyS0 then the module get the gps data and the vulnerable code will be triggered.
POC reproduction video
This video shows that the real pixhawk device can be affected by the vulnerable code which makes it stop.
hang_on_gps_2.mp4
Impact
When people use Nuttx-app/examples/gps, then the Buffer overflow can occur so that the drone can be downed.
The text was updated successfully, but these errors were encountered: