NASA cFS Integer Overflow Vulnerability in Table Codec Load Size Function

A critical integer overflow vulnerability has been identified in NASA's Core Flight System (cFS) version 7.0.0 on 32-bit architectures. The issue arises in the function 'CFE_TBL_ValidateCodecLoadSize' within the file 'cfe_tbl_passthru_codec.c'. The vulnerability allows the table load bounds check to be bypassed, leading to out-of-bounds memory writes on affected flight processors, such as LEON3 and RAD750. This issue does not occur on 64-bit targets, where pointer arithmetic does not wrap at 2^32.

Impact

Exploitation of this vulnerability causes out-of-bounds memory writes, which can overwrite adjacent memory and potentially lead to arbitrary code execution or corruption of critical data.

Reproduction

To reproduce this vulnerability, craft a table load file that includes an 'Offset' value of '0xFFFFFF00' and 'NumBytes' set to '0x200', targeting a 256-byte table. When this file is processed, the 'uint32' addition of the offset and number of bytes wraps around, creating a value that passes the bounds check. However, the original offset is used for the memory write operation, resulting in data being written far beyond the intended buffer, into other memory regions.

Remediation

A fix for this vulnerability is planned for the upcoming version 7.0.1 of the cFS.