Patch unsafe strlen in TLVWriter #37065

alexhqwang · 2025-01-14T21:48:47Z

This is a vulnerability from Weave that was recently fixed. Apply the patch to Matter TLVWriter as well. This avoids reading bad pointers beyond stack-allocated memory.

One of the PutString function overloads makes a call to strlen
without safeguards. This has caused faults on several products when
passing in uninitialized memory. While these call sites have been
fixed with explicit initialization, we can also make the core
library more secure. Use the container to determine a maximum length
and avoid buffer overflow.

Testing

Verified that device builds crashing on TLV serialization due to strings without proper null termination are now fixed.
Added a unit test

semanticdiff-com · 2025-01-14T21:48:50Z

Review changes with

src/lib/core/TLVWriter.cpp

github-actions · 2025-01-15T18:38:43Z

PR #37065: Size comparison from 6ffcd19 to de1c8f6

Full report (71 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)

platform	target	config	section	`6ffcd19`	`de1c8f6`	change	% change
bl602	lighting-app	bl602+mfd+littlefs+rpc	FLASH	1094560	1094560	0	0.0
			RAM	103346	103346	0	0.0
bl702	lighting-app	bl702+eth	FLASH	652366	652366	0	0.0
			RAM	25353	25353	0	0.0
		bl702+wifi	FLASH	830546	830546	0	0.0
			RAM	14093	14093	0	0.0
		bl706+mfd+rpc+littlefs	FLASH	1057832	1057832	0	0.0
			RAM	23949	23949	0	0.0
bl702l	contact-sensor-app	bl702l+mfd+littlefs	FLASH	890856	890856	0	0.0
			RAM	18624	18624	0	0.0
	lighting-app	bl702l+mfd+littlefs	FLASH	973816	973816	0	0.0
			RAM	16472	16472	0	0.0
cc13x4_26x4	lighting-app	LP_EM_CC1354P10_6	FLASH	840084	840084	0	0.0
			RAM	123536	123536	0	0.0
	lock-ftd	LP_EM_CC1354P10_6	FLASH	825600	825600	0	0.0
			RAM	125424	125424	0	0.0
	pump-app	LP_EM_CC1354P10_6	FLASH	772528	772528	0	0.0
			RAM	113900	113900	0	0.0
	pump-controller-app	LP_EM_CC1354P10_6	FLASH	756724	756724	0	0.0
			RAM	114100	114100	0	0.0
cc32xx	air-purifier	CC3235SF_LAUNCHXL	FLASH	540021	540021	0	0.0
			RAM	205288	205288	0	0.0
	lock	CC3235SF_LAUNCHXL	FLASH	574189	574189	0	0.0
			RAM	205432	205432	0	0.0
cyw30739	light	CYW30739B2-P5-EVK-01	unknown	2040	2040	0	0.0
			FLASH	681569	681569	0	0.0
			RAM	78596	78596	0	0.0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0	0.0
			FLASH	701413	701413	0	0.0
			RAM	81236	81236	0	0.0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0	0.0
			FLASH	701413	701413	0	0.0
			RAM	81236	81236	0	0.0
		CYW930739M2EVB-02	unknown	2040	2040	0	0.0
			FLASH	658357	658357	0	0.0
			RAM	73664	73664	0	0.0
	light-switch	CYW30739B2-P5-EVK-01	unknown	2040	2040	0	0.0
			FLASH	618153	618153	0	0.0
			RAM	71588	71588	0	0.0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0	0.0
			FLASH	637789	637789	0	0.0
			RAM	74132	74132	0	0.0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0	0.0
			FLASH	637789	637789	0	0.0
			RAM	74132	74132	0	0.0
	lock	CYW30739B2-P5-EVK-01	unknown	2040	2040	0	0.0
			FLASH	637601	637601	0	0.0
			RAM	74596	74596	0	0.0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0	0.0
			FLASH	657317	657317	0	0.0
			RAM	77140	77140	0	0.0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0	0.0
			FLASH	657317	657317	0	0.0
			RAM	77140	77140	0	0.0
	thermostat	CYW30739B2-P5-EVK-01	unknown	2040	2040	0	0.0
			FLASH	614213	614213	0	0.0
			RAM	68684	68684	0	0.0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0	0.0
			FLASH	634065	634065	0	0.0
			RAM	71316	71316	0	0.0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0	0.0
			FLASH	634065	634065	0	0.0
			RAM	71316	71316	0	0.0
efr32	lock-app	BRD4187C	FLASH	932548	932548	0	0.0
			RAM	160068	160068	0	0.0
		BRD4338a	FLASH	749328	749320	-8	-0.0
			RAM	233196	233196	0	0.0
	window-app	BRD4187C	FLASH	1027008	1027008	0	0.0
			RAM	128172	128172	0	0.0
esp32	all-clusters-app	c3devkit	DRAM	95192	95192	0	0.0
			FLASH	`1541922`	`1541922`	0	0.0
			IRAM	82552	82552	0	0.0
		m5stack	DRAM	116172	116172	0	0.0
			FLASH	`1548474`	`1548474`	0	0.0
			IRAM	117039	117039	0	0.0
linux	air-purifier-app	debug	unknown	4752	4752	0	0.0
			FLASH	2722497	2722497	0	0.0
			RAM	133096	133096	0	0.0
	all-clusters-app	debug	unknown	5560	5560	0	0.0
			FLASH	5996086	5996086	0	0.0
			RAM	526008	526008	0	0.0
	all-clusters-minimal-app	debug	unknown	5456	5456	0	0.0
			FLASH	`5341272`	`5341272`	0	0.0
			RAM	243008	243008	0	0.0
	bridge-app	debug	unknown	5472	5472	0	0.0
			FLASH	`4696426`	`4696426`	0	0.0
			RAM	221760	221760	0	0.0
	chip-tool	debug	unknown	5984	5984	0	0.0
			FLASH	12865776	12865920	144	0.0
			RAM	586938	586938	0	0.0
	chip-tool-ipv6only	arm64	unknown	21536	21536	0	0.0
			FLASH	10988368	10988512	144	0.0
			RAM	637984	637984	0	0.0
	fabric-admin	debug	unknown	5808	5808	0	0.0
			FLASH	11273363	11273507	144	0.0
			RAM	587282	587282	0	0.0
	fabric-bridge-app	debug	unknown	4728	4728	0	0.0
			FLASH	4521456	4521456	0	0.0
			RAM	208880	208880	0	0.0
	fabric-sync	debug	unknown	4968	4968	0	0.0
			FLASH	`5622053`	`5622197`	144	0.0
			RAM	477832	477832	0	0.0
	lighting-app	debug+rpc+ui	unknown	6136	6136	0	0.0
			FLASH	5630609	5630609	0	0.0
			RAM	232008	232008	0	0.0
	lock-app	debug	unknown	5408	5408	0	0.0
			FLASH	`4744188`	`4744188`	0	0.0
			RAM	208008	208008	0	0.0
	ota-provider-app	debug	unknown	4768	4768	0	0.0
			FLASH	4371808	4371808	0	0.0
			RAM	201696	201696	0	0.0
	ota-requestor-app	debug	unknown	4720	4720	0	0.0
			FLASH	4509820	4509820	0	0.0
			RAM	206280	206280	0	0.0
	shell	debug	unknown	4248	4248	0	0.0
			FLASH	3022813	3022813	0	0.0
			RAM	160736	160736	0	0.0
	thermostat-no-ble	arm64	unknown	9552	9552	0	0.0
			FLASH	4109880	4109880	0	0.0
			RAM	246304	246304	0	0.0
	tv-app	debug	unknown	5736	5736	0	0.0
			FLASH	5965733	5965733	0	0.0
			RAM	601264	601264	0	0.0
	tv-casting-app	debug	unknown	5312	5312	0	0.0
			FLASH	11101613	11101757	144	0.0
			RAM	700424	700424	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	FLASH	917804	917804	0	0.0
			RAM	143172	143172	0	0.0
		nrf7002dk_nrf5340_cpuapp	FLASH	890868	890868	0	0.0
			RAM	141359	141359	0	0.0
	all-clusters-minimal-app	nrf52840dk_nrf52840	FLASH	851932	851932	0	0.0
			RAM	142084	142084	0	0.0
nxp	contact	k32w0+release	FLASH	585968	585968	0	0.0
			RAM	70952	70952	0	0.0
		mcxw71+release	FLASH	601488	601488	0	0.0
			RAM	63168	63168	0	0.0
	light	k32w0+release	FLASH	612588	612588	0	0.0
			RAM	70344	70344	0	0.0
		k32w1+release	FLASH	687152	687152	0	0.0
			RAM	48760	48760	0	0.0
	lock	mcxw71+release	FLASH	763464	763464	0	0.0
			RAM	70796	70796	0	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	FLASH	1652092	1652092	0	0.0
			RAM	211624	211624	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	FLASH	1557860	1557860	0	0.0
			RAM	208440	208440	0	0.0
	light	cy8ckit_062s2_43012	FLASH	1472460	1472460	0	0.0
			RAM	200408	200408	0	0.0
	lock	cy8ckit_062s2_43012	FLASH	`1470244`	`1470244`	0	0.0
			RAM	224760	224760	0	0.0
qpg	lighting-app	qpg6105+debug	FLASH	664144	664144	0	0.0
			RAM	105296	105296	0	0.0
	lock-app	qpg6105+debug	FLASH	622004	622004	0	0.0
			RAM	99748	99748	0	0.0
stm32	light	STM32WB5MM-DK	FLASH	484976	484976	0	0.0
			RAM	144752	144752	0	0.0
telink	bridge-app	tlsr9258a	FLASH	683552	683552	0	0.0
			RAM	91088	91088	0	0.0
	contact-sensor-app	tlsr9528a_retention	FLASH	623810	623810	0	0.0
			RAM	31488	31488	0	0.0
	light-app-ota-compress-lzma-shell-factory-data	tl3218x	FLASH	772652	772652	0	0.0
			RAM	49348	49348	0	0.0
	light-app-ota-shell-factory-data	tl7218x	FLASH	777256	777256	0	0.0
			RAM	99652	99652	0	0.0
	light-switch-app-ota-compress-lzma-shell-factory-data	tlsr9528a	FLASH	711250	711250	0	0.0
			RAM	73384	73384	0	0.0
	lighting-app-ota-factory-data	tlsr9118bdk40d	FLASH	628264	628264	0	0.0
			RAM	142020	142020	0	0.0
	lighting-app-ota-rpc-factory-data-4mb	tlsr9518adk80d	FLASH	814266	814266	0	0.0
			RAM	99564	99564	0	0.0
tizen	all-clusters-app	arm	unknown	5120	5120	0	0.0
			FLASH	1766952	1766952	0	0.0
			RAM	93672	93672	0	0.0
	chip-tool-ubsan	arm	unknown	10904	10904	0	0.0
			FLASH	17946038	17946294	256	0.0
			RAM	7841372	7841468	96	0.0

This is a vulnerability from Weave that was recently fixed. Apply the patch to Matter TLVWriter as well. This avoids reading bad pointers beyond stack-allocated memory. > One of the PutString function overloads makes a call to strlen > without safeguards. This has caused faults on several products when > passing in uninitialized memory. While these call sites have been > fixed with explicit initialization, we can also make the core > library more secure. Use the container to determine a maximum length > and avoid buffer overflow.

github-actions · 2025-01-15T22:20:50Z

PR #37065: Size comparison from 11a6571 to 532f6b9

Full report (71 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)

platform	target	config	section	`11a6571`	`532f6b9`	change
bl602	lighting-app	bl602+mfd+littlefs+rpc	FLASH	1094560	1094560	0
			RAM	103346	103346	0
bl702	lighting-app	bl702+eth	FLASH	652366	652366	0
			RAM	25353	25353	0
		bl702+wifi	FLASH	830546	830546	0
			RAM	14093	14093	0
		bl706+mfd+rpc+littlefs	FLASH	1057832	1057832	0
			RAM	23949	23949	0
bl702l	contact-sensor-app	bl702l+mfd+littlefs	FLASH	890856	890856	0
			RAM	18624	18624	0
	lighting-app	bl702l+mfd+littlefs	FLASH	973816	973816	0
			RAM	16472	16472	0
cc13x4_26x4	lighting-app	LP_EM_CC1354P10_6	FLASH	840084	840084	0
			RAM	123536	123536	0
	lock-ftd	LP_EM_CC1354P10_6	FLASH	825600	825600	0
			RAM	125424	125424	0
	pump-app	LP_EM_CC1354P10_6	FLASH	772528	772528	0
			RAM	113900	113900	0
	pump-controller-app	LP_EM_CC1354P10_6	FLASH	756724	756724	0
			RAM	114100	114100	0
cc32xx	air-purifier	CC3235SF_LAUNCHXL	FLASH	540021	540021	0
			RAM	205288	205288	0
	lock	CC3235SF_LAUNCHXL	FLASH	574189	574189	0
			RAM	205432	205432	0
cyw30739	light	CYW30739B2-P5-EVK-01	unknown	2040	2040	0
			FLASH	681569	681569	0
			RAM	78596	78596	0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0
			FLASH	701413	701413	0
			RAM	81236	81236	0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0
			FLASH	701413	701413	0
			RAM	81236	81236	0
		CYW930739M2EVB-02	unknown	2040	2040	0
			FLASH	658357	658357	0
			RAM	73664	73664	0
	light-switch	CYW30739B2-P5-EVK-01	unknown	2040	2040	0
			FLASH	618153	618153	0
			RAM	71588	71588	0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0
			FLASH	637789	637789	0
			RAM	74132	74132	0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0
			FLASH	637789	637789	0
			RAM	74132	74132	0
	lock	CYW30739B2-P5-EVK-01	unknown	2040	2040	0
			FLASH	637601	637601	0
			RAM	74596	74596	0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0
			FLASH	657317	657317	0
			RAM	77140	77140	0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0
			FLASH	657317	657317	0
			RAM	77140	77140	0
	thermostat	CYW30739B2-P5-EVK-01	unknown	2040	2040	0
			FLASH	614213	614213	0
			RAM	68684	68684	0
		CYW30739B2-P5-EVK-02	unknown	2040	2040	0
			FLASH	634065	634065	0
			RAM	71316	71316	0
		CYW30739B2-P5-EVK-03	unknown	2040	2040	0
			FLASH	634065	634065	0
			RAM	71316	71316	0
efr32	lock-app	BRD4187C	FLASH	936952	936952	0
			RAM	160004	160004	0
		BRD4338a	FLASH	733292	733292	0
			RAM	218884	218884	0
	window-app	BRD4187C	FLASH	1032664	1032664	0
			RAM	128112	128112	0
esp32	all-clusters-app	c3devkit	DRAM	95192	95192	0
			FLASH	`1541922`	`1541922`	0
			IRAM	82552	82552	0
		m5stack	DRAM	116172	116172	0
			FLASH	`1548478`	`1548478`	0
			IRAM	117039	117039	0
linux	air-purifier-app	debug	unknown	4752	4752	0
			FLASH	2722505	2722505	0
			RAM	133096	133096	0
	all-clusters-app	debug	unknown	5560	5560	0
			FLASH	5997022	5997022	0
			RAM	529752	529752	0
	all-clusters-minimal-app	debug	unknown	5456	5456	0
			FLASH	`5341278`	`5341278`	0
			RAM	243008	243008	0
	bridge-app	debug	unknown	5472	5472	0
			FLASH	4696432	4696432	0
			RAM	221760	221760	0
	chip-tool	debug	unknown	5984	5984	0
			FLASH	12986152	12986296	144
			RAM	592474	592474	0
	chip-tool-ipv6only	arm64	unknown	21664	21664	0
			FLASH	11082640	11082784	144
			RAM	643824	643824	0
	fabric-admin	debug	unknown	5808	5808	0
			FLASH	`1135286`	11353009	144
			RAM	592818	592818	0
	fabric-bridge-app	debug	unknown	4728	4728	0
			FLASH	4521464	4521464	0
			RAM	208880	208880	0
	fabric-sync	debug	unknown	4968	4968	0
			FLASH	5622965	5623109	144
			RAM	481576	481576	0
	lighting-app	debug+rpc+ui	unknown	6136	6136	0
			FLASH	5630609	5630609	0
			RAM	232008	232008	0
	lock-app	debug	unknown	5408	5408	0
			FLASH	4744194	4744194	0
			RAM	208008	208008	0
	ota-provider-app	debug	unknown	4768	4768	0
			FLASH	4371814	4371814	0
			RAM	201696	201696	0
	ota-requestor-app	debug	unknown	4720	4720	0
			FLASH	4509826	4509826	0
			RAM	206280	206280	0
	shell	debug	unknown	4248	4248	0
			FLASH	3022829	3022829	0
			RAM	160736	160736	0
	thermostat-no-ble	arm64	unknown	9552	9552	0
			FLASH	4109912	4109912	0
			RAM	246304	246304	0
	tv-app	debug	unknown	5736	5736	0
			FLASH	5966661	5966661	0
			RAM	605008	605008	0
	tv-casting-app	debug	unknown	5312	5312	0
			FLASH	11223949	11224093	144
			RAM	706456	706456	0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	FLASH	917804	917804	0
			RAM	143172	143172	0
		nrf7002dk_nrf5340_cpuapp	FLASH	890868	890868	0
			RAM	141359	141359	0
	all-clusters-minimal-app	nrf52840dk_nrf52840	FLASH	851932	851932	0
			RAM	142084	142084	0
nxp	contact	k32w0+release	FLASH	585968	585968	0
			RAM	70952	70952	0
		mcxw71+release	FLASH	601488	601488	0
			RAM	63168	63168	0
	light	k32w0+release	FLASH	612588	612588	0
			RAM	70344	70344	0
		k32w1+release	FLASH	687152	687152	0
			RAM	48760	48760	0
	lock	mcxw71+release	FLASH	763464	763464	0
			RAM	70796	70796	0
psoc6	all-clusters	cy8ckit_062s2_43012	FLASH	1652092	1652092	0
			RAM	211624	211624	0
	all-clusters-minimal	cy8ckit_062s2_43012	FLASH	1557860	1557860	0
			RAM	208440	208440	0
	light	cy8ckit_062s2_43012	FLASH	1472460	1472460	0
			RAM	200408	200408	0
	lock	cy8ckit_062s2_43012	FLASH	`1470244`	`1470244`	0
			RAM	224760	224760	0
qpg	lighting-app	qpg6105+debug	FLASH	664144	664144	0
			RAM	105296	105296	0
	lock-app	qpg6105+debug	FLASH	622004	622004	0
			RAM	99748	99748	0
stm32	light	STM32WB5MM-DK	FLASH	484976	484976	0
			RAM	144752	144752	0
telink	bridge-app	tlsr9258a	FLASH	683552	683552	0
			RAM	91088	91088	0
	contact-sensor-app	tlsr9528a_retention	FLASH	623810	623810	0
			RAM	31488	31488	0
	light-app-ota-compress-lzma-shell-factory-data	tl3218x	FLASH	772652	772652	0
			RAM	49348	49348	0
	light-app-ota-shell-factory-data	tl7218x	FLASH	777256	777256	0
			RAM	99652	99652	0
	light-switch-app-ota-compress-lzma-shell-factory-data	tlsr9528a	FLASH	711250	711250	0
			RAM	73384	73384	0
	lighting-app-ota-factory-data	tlsr9118bdk40d	FLASH	628264	628264	0
			RAM	142020	142020	0
	lighting-app-ota-rpc-factory-data-4mb	tlsr9518adk80d	FLASH	814266	814266	0
			RAM	99564	99564	0
tizen	all-clusters-app	arm	unknown	5120	5120	0
			FLASH	1766952	1766952	0
			RAM	93672	93672	0
	chip-tool-ubsan	arm	unknown	10968	10968	0
			FLASH	18132110	18132374	264
			RAM	`7923244`	7923340	96

pullapprove bot added the review - pending label Jan 14, 2025

github-actions bot added lib core labels Jan 14, 2025

bzbarsky-apple reviewed Jan 14, 2025

View reviewed changes

src/lib/core/TLVWriter.cpp Outdated Show resolved Hide resolved

src/lib/core/TLVWriter.cpp Outdated Show resolved Hide resolved

jmartinez-silabs approved these changes Jan 15, 2025

View reviewed changes

alexhqwang force-pushed the master branch from bf3b87c to de1c8f6 Compare January 15, 2025 18:26

alexhqwang added 3 commits January 15, 2025 14:03

Fix comment and apply clang-format

96cd4c2

Fixes for clang-tidy

532f6b9

alexhqwang force-pushed the master branch from de1c8f6 to 532f6b9 Compare January 15, 2025 22:06

bzbarsky-apple approved these changes Jan 15, 2025

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels Jan 15, 2025

mergify bot merged commit 9b58c27 into project-chip:master Jan 16, 2025
69 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Patch unsafe strlen in TLVWriter #37065

Patch unsafe strlen in TLVWriter #37065

alexhqwang commented Jan 14, 2025

semanticdiff-com bot commented Jan 14, 2025

github-actions bot commented Jan 15, 2025 •

edited

Loading

github-actions bot commented Jan 15, 2025 •

edited

Loading

Patch unsafe strlen in TLVWriter #37065

Patch unsafe strlen in TLVWriter #37065

Conversation

alexhqwang commented Jan 14, 2025

Testing

semanticdiff-com bot commented Jan 14, 2025

github-actions bot commented Jan 15, 2025 • edited Loading

github-actions bot commented Jan 15, 2025 • edited Loading

github-actions bot commented Jan 15, 2025 •

edited

Loading

github-actions bot commented Jan 15, 2025 •

edited

Loading