[Azure Sphere] OOB Access in GPIO_SET_PIN_CONFIG_IOCTL due to Missing Boudsn Check on Array Index

We discussed this vulnerability as part of our weekly podcast on 17 November 2021

Out of bounds access in the GPIO_SET_PIN_CONFIG_IOCTL leading to information disclosure. When parsing the lineoffsets field from the gpiopin_request object, there’s no bounds checking on it before it’s used as an index into an array of descriptions to get a desc pointer. This is only useful for information disclosure though, because the only useful avenue they found for exploiting the issue was a permission check that would use the desc->allowed_user field and compare it against the current UID. By using this permission check as an oracle, they could scan memory for sequences of bytes that match the process UID. They use this to find and leak the address of the cred structure in the heap.