Azure RTOS FileX is a widely used FAT-compatible file system, fully integrated with Azure RTOS ThreadX. In versions before 6.2., the Fault Tolerant feature of Azure RTOS FileX has been found to have integer under and overflows that may be exploited to achieve buffer overflow and modify memory contents. This article discusses the exploit details, code snippet, and how to patch the vulnerability, as well as links to the original references.

Exploit Details

When a valid log file with the correct ID and checksum is detected by the _fx_fault_tolerant_enable function, Azure RTOS FileX attempts to recover the previous failed write operation by calling the _fx_fault_tolerant_apply_logs function. This function iterates through the log entries and performs the required recovery operations. When a log is specifically crafted, including entries of type FX_FAULT_TOLERANT_DIR_LOG_TYPE, it could be utilized to introduce unexpected behavior.

Code Snippet

The vulnerability lies in the _fx_fault_tolerant_apply_logs() function in fx_fault_tolerant_apply_logs.c. Here is an example of the problematic code in the file:

// Line 218
while (log_size < log_buffer_size)
{
    ...
    log_entry_ptr = (FX_FAULT_TOLERANT_LOG_ENTRY *)
                    (((UCHAR *) log_entry_ptr) + log_entry_size);
    ...
}

The while loop iterates through log entries, but does not properly handle integer overflows, leading to the possibility of a buffer overflow and memory corruption.

Patching the vulnerability

According to the GitHub Security Advisory (GHSA), this issue has been patched in version 6.2. of Azure RTOS FileX. To manually fix the issue, update the problematic line 218 in fx_fault_tolerant_apply_logs.c as follows:

// Modified Line 218
while (log_size + log_entry_size <= log_buffer_size)
{
    ...
}

Original References

1. GitHub Security Advisory (GHSA): https://github.com/advisories/GHSA-43cf-8ph6-jgjq
2. Azure RTOS 6.2. Release Notes: https://docs.microsoft.com/en-us/azure/rtos/releases/2022-03-20

Conclusion

It's important to make sure that software systems are up-to-date, especially when it comes to security vulnerabilities. In this case, updating Azure RTOS FileX to version 6.2. or manually fixing line 218 in fx_fault_tolerant_apply_logs.c can help protect against potential exploitation of this buffer overflow vulnerability, CVE-2022-39343.

Timeline

Published on: 11/08/2022 08:15:00 UTC
Last modified on: 11/10/2022 00:32:00 UTC