Null pointer dereference vulnerability in TizenRT shell command implementation #6617
Description
Basic Information
I am reaching out to report a potential vulnerability identified in the latest version of TizenRT. I open this issue for your review. I am opening this issue for your review, as I could not find a reporting email in the security section of this repository. Kindly let me know if you intend to request a CVE ID upon confirmation of the vulnerability. I am more than happy to provide additional details or clarification if needed.
Summary
A null pointer dereference vulnerability (CWE-476) has been identified in the shell command implementation (tash_sleep and tash_usleep). This vulnerability arises from insufficient argument validation and enables an attacker to use the command line interface to crash the system.
Details
Vulnerable Code Location
The vulnerability code is located at TizenRT/apps/shell/tash_sleep.c and TizenRT/apps/shell/tash_usleep.c. For example, the code in tash_sleep is shown below:
int tash_sleep(int argc, char **args)
{
char *endptr;
long secs;
secs = strtol(args[1], &endptr, 0); //A null pointer dereference vulnerability caused by lacking appropriate args validation.
if (!secs || endptr == args[1] || *endptr != '\0') {
shdbg("%s: argument invalid\n", args[0]);
return ERROR;
}
sleep(secs);
return OK;
}
Vulnerability Description
The tash_sleep and tash_usleep functions accept command-line arguments, which can be controlled remotely or by an attacker. The lack of proper validation of these arguments allows an attacker to pass invalid or malicious input, potentially leading to a null pointer dereference and crashing the system. This occurs because the functions do not sufficiently check if the required arguments are passed or if they are valid, leading to a situation where the program attempts to dereference a null pointer.
Impact
This vulnerability can allow a remote attacker to crash the entire system via a null pointer dereference.
Recommendation
I strongly recommend implementing proper validation checks for all arguments when using the command line interface, as it is exposed to users. For instance, the following improvements can be made to the code by adding a check for the number of arguments passed:
int tash_sleep(int argc, char **args)
{
char *endptr;
long secs;
// Check the number of the args
if (argc!=2){
return ERROR;
}
secs = strtol(args[1], &endptr, 0); //A null pointer dereference vulnerability caused by lacking appropriate args validation.
if (!secs || endptr == args[1] || *endptr != '\0') {
shdbg("%s: argument invalid\n", args[0]);
return ERROR;
}
sleep(secs);
return OK;
}