POSTED BY: George Poulios / 21.10.2020

Microchip ASF4 integer overflows in flash_read, flash_write and flash_append

CENSUS ID:CENSUS-2020-0005
CVE ID:CVE-2019-16127
Affected Products:ASF4 as distributed through start.atmel.com (last accessed 2020-10-21)
Class:Integer Overflow or Wraparound (CWE-190)
Discovered by:George Poulios

CENSUS identified several integer overflow problems in the flash_read, flash_write and flash_append functions of the Microchip ASF4 framework. This framework is used during firmware development for Atmel (now Microchip) microcontrollers. An adversary may abuse these issues to gain unauthorized read or write access to arbitrary pages of the flash storage, especially pages mapped at low memory addresses. As no patch is available from the vendor, CENSUS urges developers to implement a check for integer overflows in the relevant code.

Vulnerability Details

During the security assessment of an embedded device bearing the Microchip ATSAMD51J20A microcontroller unit, CENSUS identified that the flash storage manipulation functions of the microcontroller firmware were susceptible to integer overflow attacks. These functions were supplied by the Atmel (now Microchip) ASF4 framework.

A sanity check for the resulting address on which to perform a flash_read, flash_write or flash_append operation (as seen in the ASF4 framework's "hal/src/hal_flash.c" file) fails to take into account an integer overflow that may occur due to an attacker's ability to control the "length" function argument.

int32_t flash_read(struct flash_descriptor *flash, uint32_t src_addr, uint8_t *buffer, uint32_t length)
{
        ASSERT(flash && buffer && length);

        uint32_t page_size   = _flash_get_page_size(&flash->dev);
        uint32_t total_pages = _flash_get_total_pages(&flash->dev);

        /* Check if the address is valid */
102:        if ((src_addr > page_size * total_pages) || (src_addr + length > page_size * total_pages)) {
                return ERR_BAD_ADDRESS;
        }

        _flash_read(&flash->dev, src_addr, buffer, length);

        return ERR_NONE;
}

The example above illustrates this problem in the flash_read function.

In line 102 the "src_addr + length" addition may overflow, thus causing the relevant range check to be bypassed and the following _flash_read operation may read bytes from low addresses. The software that is using the library may have otherwise protected this memory region from being exposed to users but due to the above bug in the library its contents may be disclosed.

The same issue was also found to be present in the flash_write and flash_append functions of the ASF4 framework (which may allow adversaries to modify data in flash memory beyond the firmware's control). Please note that all three functions affected are part of a Hardware Abstraction Layer (HAL) and may thus be bundled with the firmware of a wide variety of devices, carrying different flash memory hardware.

Recommendation

The ASF4 framework is distributed through the start.atmel.com "configurator" web platform. As of this writing (2020-10-21) the vendor has not shipped a fix for the aforementioned vulnerabilities through this platform. CENSUS recommends to firmware developers to develop a "local" patch for the time being, checking whether an integer overflow occurs in the reported functions.

Disclosure Timeline

CVE Allocation:September 9, 2019
Vendor Contact:September 11, 2019
Vendor Confirmation:None
Vendor Fix Released:None
Public Advisory:October 21, 2020