Zephyr SocketCAN Out-of-Bounds Read Vulnerability Leading to Denial-of-Service

A vulnerability in the SocketCAN implementation of Zephyr RTOS versions through 4.3 allows for out-of-bounds read operations, potentially leading to denial-of-service crashes or memory leaks. The issue arises because user-provided buffer lengths are only validated with an assertion that can be disabled in production builds. This allows applications to send incomplete or truncated frames, which are then processed without proper validation, causing the SocketCAN implementation to read beyond the buffer's end.

Impact

Exploitation of this vulnerability causes out-of-bounds memory reads, which can disrupt normal operation and lead to crashes. Additionally, because the accessed memory contents are transmitted over the network, this vulnerability can exfiltrate sensitive data from memory, according to the advisory.

Reproduction

To reproduce this vulnerability, a userspace application must issue a sendto syscall with a pointer to a buffer and a length that does not match the expected size of a socketcan_frame object. The zcan_sendto_ctx function will process the buffer length using an assertion that is not active in production builds, allowing the application to send a truncated frame. When the socketcan_to_can_frame function processes the frame, it will dereference fields from the buffer without additional length validation, leading to an out-of-bounds read.

Remediation

Users can apply the patch available in the main branch or in the v4.2, v4.3 and v3.7 releases to address this vulnerability.