Skip to content

Race Condition in SFR Timeout

High
miri64 published GHSA-8m3w-mphf-wxm8 May 30, 2023

Package

RIOT-OS

Affected versions

<= 2023.01

Patched versions

None

Description

Impact

RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions about the program state and leads to an invalid memory access resulting in denial of service.

Patches

None

Workarounds

  • None

For more information

If you have any questions or comments about this advisory:

Bug Details

Triggering this bug requires a specific series of events. The following will describe what happens in chronological order.

  1. A 6LoWPAN SFR fragment is send by calling gnrc_sixlowpan_frag_sfr_send. The fragment requires an ACK and thus _sched_arq_timeout is called (source): 
    if (_frag_ack_req(frag_desc)) {
    ...
    _sched_arq_timeout(fbuf, fbuf->sfr.arq_timeout);
}
  2. The timeout expires and the corresponding event function _evtimer_msg_handler is called. The handler sends a message to the 6LoWPAN thread to inform it about the expired timer.
  3. The 6LoWPAN thread is still processing another packet. During this processing the timer on fragment buffer is set again, e.g., because the fragment is resend.
  4. The message from 2. is now processed by the 6LoWPAN thread. In gnrc_sixlowpan_frag_sfr_arq_timeout the event content pointer is set to NULL without checking if the timer is currently in use (source): 
    fbuf->sfr.arq_timeout_event.msg.content.ptr = NULL;
  5. In the end the timer can be scheduled again (source): 
    if (reschedule_arq_timeout) {
    _sched_arq_timeout(fbuf, next_arq_offset);
    return;
}
  6. The check to assure that the timer is not already scheduled is now ineffective as it depends on the event content pointer (source): 
    if (fbuf->sfr.arq_timeout_event.msg.content.ptr != NULL) {
    DEBUG("6lo sfr: ARQ timeout for datagram %u already scheduled\n",
          (uint8_t)fbuf->tag);
    return;
}

The timer is thus scheduled two times which creates two problems:

  1. The next pointer of the event points to itself creating an infinite loop once the timeout expires.
  2. The event function modifies the event object on the first call and creates an invalid memory access in the second call.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-33974

Weaknesses

Credits