Summary
Due to the lack of judgment on the size of serial_control_mavlink.count and serial_control_mavlink.data, we found a stack buffer overflow vulnerability in mavlink_receiver.cpp. This will cause the drone to refuse to execute during software simulation.
Details
- Send a MAVLINK message to the drone. It will enter In mavlink_receiver.cpp, parse according to the specific MAVLINK received.
- When the type of message sent is MAVLINK_MSG_ID_SERIAL_CONTROL, the handle_message_serial_control function is executed
https://github.com/PX4/PX4-Autopilot/blob/main/src/modules/mavlink/mavlink_receiver.cpp#L1798-L1831
- https://github.com/PX4/PX4-Autopilot/blob/main/src/modules/mavlink/mavlink_receiver.cpp#L1821-L1824
When serial_control_mavlink.count > sizeof(serial_control_mavlink.data), a stack overflow vulnerability is triggered. This causes the program to crash and cause a denial of service.
Error report
=================================================================
==28263==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f1e57f6e4c4 at pc 0x7f1e5b7a8eed bp 0x7f1e57f6e420 sp 0x7f1e57f6dbc8
READ of size 216 at 0x7f1e57f6e4c4 thread T106 (mavlink_rcv_if0)
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
INFO [mavlink] Starting mavlink shell
==34278== Thread 20 mavlink_rcv_if0:
==34278== Syscall param write(buf) points to uninitialised byte(s)
==34278== at 0x488B32F: __libc_write (write.c:26)
==34278== by 0x488B32F: write (write.c:24)
==34278== by 0x294A51: MavlinkReceiver::handle_message_serial_control(__mavlink_message*) (mavlink_receiver.cpp:1823)
==34278== by 0x29C44A: MavlinkReceiver::handle_message(__mavlink_message*) (mavlink_receiver.cpp:240)
==34278== by 0x29CA3E: MavlinkReceiver::run() (mavlink_receiver.cpp:3170)
==34278== by 0x29E70C: MavlinkReceiver::start_trampoline(void*) (mavlink_receiver.cpp:3449)
==34278== by 0x4880608: start_thread (pthread_create.c:477)
==34278== by 0x4D0E352: clone (clone.S:95)
==34278== Address 0x6adbf81 is on thread 20's stack
==34278== in frame #1, created by MavlinkReceiver::handle_message_serial_control(__mavlink_message*) (mavlink_receiver.cpp:1799)
==34278==
INFO [mavlink] Stopping mavlink shell
PoC
1、Use the following command to start px4
sudo make px4_sitl jmavsim PX4_ASAN=1
2、Use the python code and output.txt I provided to send the mavlink message to the px4 (Python code and output.txt are in the github repository)
https://github.com/zhangteng0526/px4_stack-over-flow
python3.8 poc.py
Impact
If we can create a MAVLINK message remotely and send it to PX4, a global buffer overflow vulnerability will be triggered, causing the drone to behave unexpectedly.
zhangteng0526 Reporter
Summary
Due to the lack of judgment on the size of serial_control_mavlink.count and serial_control_mavlink.data, we found a stack buffer overflow vulnerability in mavlink_receiver.cpp. This will cause the drone to refuse to execute during software simulation.
Details
https://github.com/PX4/PX4-Autopilot/blob/main/src/modules/mavlink/mavlink_receiver.cpp#L1798-L1831
When serial_control_mavlink.count > sizeof(serial_control_mavlink.data), a stack overflow vulnerability is triggered. This causes the program to crash and cause a denial of service.
Error report
=================================================================
==28263==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f1e57f6e4c4 at pc 0x7f1e5b7a8eed bp 0x7f1e57f6e420 sp 0x7f1e57f6dbc8
READ of size 216 at 0x7f1e57f6e4c4 thread T106 (mavlink_rcv_if0)
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
INFO [mavlink] Starting mavlink shell
==34278== Thread 20 mavlink_rcv_if0:
==34278== Syscall param write(buf) points to uninitialised byte(s)
==34278== at 0x488B32F: __libc_write (write.c:26)
==34278== by 0x488B32F: write (write.c:24)
==34278== by 0x294A51: MavlinkReceiver::handle_message_serial_control(__mavlink_message*) (mavlink_receiver.cpp:1823)
==34278== by 0x29C44A: MavlinkReceiver::handle_message(__mavlink_message*) (mavlink_receiver.cpp:240)
==34278== by 0x29CA3E: MavlinkReceiver::run() (mavlink_receiver.cpp:3170)
==34278== by 0x29E70C: MavlinkReceiver::start_trampoline(void*) (mavlink_receiver.cpp:3449)
==34278== by 0x4880608: start_thread (pthread_create.c:477)
==34278== by 0x4D0E352: clone (clone.S:95)
==34278== Address 0x6adbf81 is on thread 20's stack
==34278== in frame #1, created by MavlinkReceiver::handle_message_serial_control(__mavlink_message*) (mavlink_receiver.cpp:1799)
==34278==
INFO [mavlink] Stopping mavlink shell
PoC
1、Use the following command to start px4
sudo make px4_sitl jmavsim PX4_ASAN=12、Use the python code and output.txt I provided to send the mavlink message to the px4 (Python code and output.txt are in the github repository)
https://github.com/zhangteng0526/px4_stack-over-flow
python3.8 poc.pyImpact
If we can create a MAVLINK message remotely and send it to PX4, a global buffer overflow vulnerability will be triggered, causing the drone to behave unexpectedly.