Skip to content

Integer Overflow in memory allocating functions

Moderate
d3zd3z published GHSA-94vp-8gc2-rm45 Apr 26, 2021

Package

zephyr (west)

Affected versions

1.14.2, 2.4.0

Patched versions

None

Description

Impact

  • Zephyr offers pre-built 'malloc' wrapper function instead.
  • The 'malloc' function is wrapper for the 'sys_mem_pool_alloc' function
  • sys_mem_pool_alloc allocates 'size + WB_UP(sizeof(struct sys_mem_pool_block))' in an unsafe manner.
  • Asking for very large size values leads to internal integer wrap-around.
  • Integer wrap-around leads to successful allocation of very small memory.
  • For example: calling malloc(0xffffffff) leads to succesful allocation of 7 bytes.
  • That leads to heap overflow.

Patches

This has been fixed in:

For more information

If you have any questions or comments about this advisory:

embargo: 2020-03-23
zepsec: ZEPSEC-111

Severity

Moderate

CVE ID

CVE-2020-13603

Weaknesses

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. Learn more on MITRE.