ArduPilot Copter Buffer Overflow Vulnerability Allowing Denial-of-Service

A buffer overflow vulnerability has been identified in the ArduPilot Copter, specifically in the latest commit. This vulnerability allows a local attacker to cause a denial-of-service by exploiting the AP_MSP::loop function within the AP_MSP component. The issue arises from a potential stack overflow, where the loop function is allocated a stack size of 1024 bytes, but under certain configurations, it may require up to 1096 bytes, leading to a overflow condition.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, where the affected thread may crash or become unresponsive, potentially leading to a broader system failure.

Reproduction

The vulnerability can be reproduced by adding specific compiler flags to the build configuration that enable stack usage analysis. After building ArduPilot with these flags and the 'R9Pilot' board configuration, the stack usage can be manually checked. The 'AP_MSP::loop' function is found to exceed the allocated stack size, creating a potential overflow condition.

Remediation

ArduPilot has addressed this vulnerability by reducing the stack usage in the 'AP_MSP::loop' function, ensuring it stays within safe limits.