Skip to content

sys/fido2: fix CBOR parsing #17192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2021
Merged

sys/fido2: fix CBOR parsing #17192

merged 1 commit into from
Nov 13, 2021

Conversation

maribu
Copy link
Member

@maribu maribu commented Nov 13, 2021
edited
Loading

Contribution description

The TinyCBOR library takes a size_t * length argument in many functions which at function call contains the length of a buffer, and at exit the actual size of the data. The FIDO-2 code however uses uint8_t fields in structs to store the data. Previously, a pointer to that uint8_t filed was just casted to size_t *, resulting in three neighboring bytes also being interpreted as being part of the buffer size - which could result in undetected buffer overflows. Similar, upon exit of the function not only the uint8_t sized length struct member but also three neighboring bytes were written to.

I didn't care to investigate, but this really looks like crafted CBOR payloads send to the FIDO2 implementation could result in arbitrary code execution on the device.

Testing procedure

Normal operation should still work.

Issues/PRs references

Detected by #14955

@maribu
sys/fido2: fix CBOR parsing
8a178f4 
The TinyCBOR library takes a `size_t *` length argument in many
functions which at function call contains the length of a buffer, and
at exit the actual size of the data. The FIDO-2 code however uses
`uint8_t` fields in `struct`s to store the data. Previously, a pointer
to that `uint8_t` filed was just casted to `size_t *`, resulting in
three neighboring bytes also being interpreted as being part of the
buffer size - which could result in undetected buffer overflows.
Similar, upon exit of the function not only the `uint8_t` sized length
`struct` member but also three neighboring bytes were written to.

I didn't care to investigate, but this really looks like crafted CBOR
payloads send to the FIDO2 implementation could result in arbitrary
code execution on the device.
@github-actions github-actions bot added the Area: sys Area: System label Nov 13, 2021
@maribu maribu added Area: security Area: Security-related libraries and subsystems CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors) Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch labels Nov 13, 2021
benpicco
benpicco approved these changes Nov 13, 2021
View reviewed changes
Copy link
Contributor

@benpicco benpicco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - one more reason to enable those warnings by default.

@maribu maribu merged commit 5e925e1 into RIOT-OS:master Nov 13, 2021
@maribu
Copy link
Member Author

maribu commented Nov 13, 2021

thanks for the quick review!

@maribu maribu deleted the sys/fido2 branch November 13, 2021 20:44
@maribu maribu mentioned this pull request Nov 13, 2021
Merged
@maribu
Copy link
Member Author

maribu commented Nov 13, 2021

Backport provided in #17193

@maribu maribu mentioned this pull request Nov 14, 2021
Merged
20 tasks
@fjmolinas fjmolinas added this to the Release 2022.01 milestone Nov 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benpicco benpicco benpicco approved these changes

@PeterKietzmann PeterKietzmann Awaiting requested review from PeterKietzmann

@Ollrogge Ollrogge Awaiting requested review from Ollrogge

Assignees
No one assigned
Labels
Area: security Area: Security-related libraries and subsystems Area: sys Area: System CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)
Projects
None yet
Milestone
Release 2022.01
Development

Successfully merging this pull request may close these issues.
3 participants
@maribu @benpicco @fjmolinas