[Azure Sphere] OOB Access in GPIO_SET_PIN_CONFIG_IOCTL due to Missing Boudsn Check on Array Index
Original Post:
We discussed this vulnerability during Episode 100 on 16 November 2021
Out of bounds access in the GPIO_SET_PIN_CONFIG_IOCTL
leading to information disclosure. When parsing the lineoffsets
field from the gpiopin_request
object, there’s no bounds checking on it before it’s used as an index into an array of descriptions to get a desc
pointer. This is only useful for information disclosure though, because the only useful avenue they found for exploiting the issue was a permission check that would use the desc->allowed_user
field and compare it against the current UID. By using this permission check as an oracle, they could scan memory for sequences of bytes that match the process UID. They use this to find and leak the address of the cred
structure in the heap.