Summary
Stack buffer overflow in MavlinkLogHandler triggered via MAVLink log request. The LogEntry.filepath buffer is 60 bytes, but sscanf parses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer.
Details
In mavlink_log_handler.cpp, the log list file is parsed with:
sscanf(line, "%" PRIu32 " %" PRIu32 " %s",
&entry.time_utc, &entry.size_bytes, entry.filepath);
entry.filepath is only 60 bytes. A log directory structure producing paths longer than 60 characters causes a stack buffer overflow when a GCS requests the log list via MAV_CMD_LOG_REQUEST_LIST.An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list.
Impact
Denial of service. The flight controller MAVLink task crashes, losing telemetry and command capability.
Fix
- Size
LogEntry.filepath to PX4_MAX_FILEPATH (256 bytes)
- Add
sscanf width specifiers to prevent overflow
- Add
static_assert to enforce buffer size at compile time
Original Report Below
=================================================================
==66954==ERROR: AddressSanitizer: stack-overflow on address 0x7fc2b854ffd0 (pc 0x7fc2bbe447d9 bp 0x7fc2b8550820 sp 0x7fc2b854ffc0 T121)
#0 0x7fc2bbe447d8 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:50
#1 0x7fc2bbe447d8 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:95
#2 0x7fc2bbe447d8 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#3 0x7fc2bb8a1f18 in __alloc_dir ../sysdeps/posix/opendir.c:118
#4 0x7fc2bb8a1f18 in opendir_tail ../sysdeps/posix/opendir.c:69
#5 0x7fc2bb8a1f18 in __opendir ../sysdeps/posix/opendir.c:92
#6 0x7fc2bbd86342 in __interceptor_opendir ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3101
#7 0x560bb775d487 in MavlinkLogHandler::write_entries_to_file(_IO_FILE*, char const*) ../../src/modules/mavlink/mavlink_log_handler.cpp:429
#8 0x560bb775dadc in MavlinkLogHandler::create_log_list_file() ../../src/modules/mavlink/mavlink_log_handler.cpp:410
#9 0x560bb775dcf1 in MavlinkLogHandler::handle_log_request_list(__mavlink_message const*) ../../src/modules/mavlink/mavlink_log_handler.cpp:262
#10 0x560bb77636c0 in MavlinkLogHandler::handle_message(__mavlink_message const*) ../../src/modules/mavlink/mavlink_log_handler.cpp:98
#11 0x560bb7714cd1 in MavlinkReceiver::handle_message(__mavlink_message*) ../../src/modules/mavlink/mavlink_receiver.cpp:408
#12 0x560bb771644a in MavlinkReceiver::run() ../../src/modules/mavlink/mavlink_receiver.cpp:3293
#13 0x560bb771c11e in MavlinkReceiver::start_trampoline(void*) ../../src/modules/mavlink/mavlink_receiver.cpp:3575
#14 0x7fc2bbd12608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477
#15 0x7fc2bb8e3352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:50 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int)
Thread T121 (mavlink_rcv_if0) created by T120 (mavlink_if0) here:
#0 0x7fc2bbd71815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x560bb7710915 in MavlinkReceiver::start() ../../src/modules/mavlink/mavlink_receiver.cpp:3560
Thread T120 (mavlink_if0) created by T119 here:
#0 0x7fc2bbd71815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x560bb7ca4e8f in px4_task_spawn_cmd ../../platforms/posix/src/px4/common/tasks.cpp:246
Thread T119 created by T1 here:
#0 0x7fc2bbd71815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x560bb7cbe7bc in px4_daemon::Server::_server_main() ../../platforms/posix/src/px4/common/px4_daemon/server.cpp:185
Thread T1 created by T0 (px4) here:
#0 0x7fc2bbd71815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x560bb7cba53c in px4_daemon::Server::start() ../../platforms/posix/src/px4/common/px4_daemon/server.cpp:106
#2 0x7fc2bb9d26cf (<unknown module>)
==66954==ABORTING
PoC
1、Use the following command to start px4
sudo make px4_sitl jmavsim PX4_ASAN=1
2、Use the python code to send the mavlink message to the px4
Impact
If we can create a MAVLINK message remotely and send it to PX4, a global buffer overflow vulnerability will be triggered, causing the drone to behave unexpectedly.
Error report
zhangteng0526 Reporter
Summary
Stack buffer overflow in
MavlinkLogHandlertriggered via MAVLink log request. TheLogEntry.filepathbuffer is 60 bytes, butsscanfparses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer.Details
In
mavlink_log_handler.cpp, the log list file is parsed with:An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list.
Impact
Denial of service. The flight controller MAVLink task crashes, losing telemetry and command capability.
Fix
LogEntry.filepathtoPX4_MAX_FILEPATH(256 bytes)sscanfwidth specifiers to prevent overflowstatic_assertto enforce buffer size at compile timeOriginal Report Below
PoC
1、Use the following command to start px4
sudo make px4_sitl jmavsim PX4_ASAN=1
2、Use the python code to send the mavlink message to the px4
Impact
If we can create a MAVLINK message remotely and send it to PX4, a global buffer overflow vulnerability will be triggered, causing the drone to behave unexpectedly.
Error report
