Security vulnerabilities and automated fixes for bounds checking issues
3 posts found
A subtle but dangerous integer overflow vulnerability was discovered in `lib/rpmi_shmem.c`, where bounds checks on shared memory operations could be silently bypassed due to 32-bit arithmetic overflow. By carefully crafting `offset` and `len` values, an OS-level or hypervisor-level caller could direct firmware writes to arbitrary memory addresses — including interrupt vector tables and security-critical configuration structures. The fix was elegantly simple: casting operands to 64-bit before add
A high-severity out-of-bounds access vulnerability was discovered and patched in the `py32ioexp` Linux GPIO expander driver. The `py32io_gpio_direction_input()` function failed to validate a user-supplied pin offset against the chip's declared GPIO count, opening the door to memory corruption via the GPIO character device interface. A two-line bounds check now closes the vulnerability cleanly and efficiently.
A medium-severity vulnerability in `src/ddma.c` allowed a malicious guest OS to program DMA controllers with unconstrained transfer sizes and addresses, potentially enabling guest-to-host memory access in an emulated environment. The fix introduces strict bounds validation to ensure all DMA transfers stay within allocated memory regions, closing a dangerous path to host memory disclosure and corruption.