Apache NuttX RTOS Use-After-Free Vulnerability in Virtual File System Rename Operation

A use-after-free vulnerability has been identified in the Apache NuttX RTOS within the virtual file system rename code. This vulnerability arises from a recursive implementation that allows a single buffer to be used by two different pointer variables. As a result, an arbitrary user-provided size buffer can be reallocated and written to a previously freed heap chunk. In certain cases, this can lead to unintended results during virtual file system rename or move operations. The vulnerability affects Apache NuttX RTOS versions 7.20 prior to 12.11.0. Users of virtual file system-based services with write access, particularly those exposed over the network (such as FTP), are recommended to upgrade to version 12.11.0, which addresses this issue.

Impact

Exploitation of this vulnerability can cause incorrect behavior in the virtual file system rename or move operations, potentially leading to files or directories being misplaced or mismanaged within the file system hierarchy.

Reproduction

The vulnerability can be reproduced using the 'mv' command in NuttX's NuttShell (NSH). After creating a nested directory structure, moving a directory can trigger the use-after-free condition. The incorrect handling of the move operation can be observed when the source directory is moved to a target that is not correctly resolved, due to the exploitation of the freed buffer containing garbage data.

Remediation

Users are advised to upgrade to Apache NuttX RTOS version 12.11.0 or later, which includes the necessary fix for this vulnerability.