Integer Underflow in Memory Range Check in Renesas RCAR

Integer Underflow in Memory Range Check

Location

Filename = drivers\renesas\common\io\io_rcar.c

Function = check_load_area

Line=271

Line=283

Description

The function “check_load_area” is responsible for ensuring that an image loading operation won’t affect certain memory ranges. It does this by receiving a destination (start address) and length parameters, calculating start and end addresses from them, and comparing them against certain memory ranges. More specifically, it does this by calculating that the start address is not bigger than the end of the allowed range minus the length: “dst > dram_end – len”. But it fails to address the situation in which the length is bigger than the end of the allowed range. In such case, an underflow to a very large value would occur (since the variable is of type uint) and the check could pass even though it should fail.

The only limitation on the length parameter is that it’s not bigger than the “image_max_size” variable, which for the linux image for example, is very large (0xFFFB000000, but because of casting into a uint32 variable is maximized at uint32_max) and enough to underflow the 2 upper limits checked: “prot_end” = 0x47E00000, “dram_end” = 0xC0000000.

The only limitations on the destination (start address) parameter are that it’s after the dram_start (0x40000000) and not in SDRAM protected area (can start 1 byte before and overwrite into).

Preconditions

The ability to write to the flash area used by the bootloader.

Threat

An attacker can bypass the memory range restriction and write data to an arbitrary memory address, which could result in bypass of secure boot.

Recommendations

Add underflow checks for calculations.

Attack Rating

Expertise: Expert

Access: Moderate

Time: Days

Equipment: Specialized

Knowledge: Public

CWE: 191

Affected Technology: program code execution

Affected Security Goal: ECU integrity