Security vulnerabilities and automated fixes for firmware security issues
5 posts found
A subtle but dangerous integer overflow vulnerability was discovered in `lib/rpmi_shmem.c`, where bounds checks on shared memory operations could be silently bypassed due to 32-bit arithmetic overflow. By carefully crafting `offset` and `len` values, an OS-level or hypervisor-level caller could direct firmware writes to arbitrary memory addresses — including interrupt vector tables and security-critical configuration structures. The fix was elegantly simple: casting operands to 64-bit before add
A critical buffer overflow vulnerability was discovered in the RC device request parser (`rcdevice.c`), where incoming packet data was written to a fixed-size buffer using an attacker-controlled length field as the only guard. Because the expected data length was parsed directly from the packet without being validated against the actual allocated buffer size, a malicious packet could overflow the buffer and overwrite adjacent stack or heap memory with arbitrary bytes. The fix adds a single, esse
A critical buffer overflow vulnerability was discovered in `serial.c`, where the `rs232_buffered_input` function could write more bytes than the destination buffer `rs232_ibuff` could hold — with no size limit to stop it. An attacker with access to the RS-232 serial port could exploit this to overwrite adjacent OS memory, including return addresses and critical data structures. The fix adds a simple but essential bounds check that clamps the returned byte count to the actual buffer size.
A critical vulnerability in an embedded HTTP server allowed any unauthenticated attacker to upload and flash arbitrary firmware images to a network switch — no credentials required. Because malicious firmware survives reboots and factory resets, a successful attack could permanently compromise an entire fleet of devices with backdoors or rootkits. The fix adds an authentication gate and corrects dangerous CRC-check logic that would reset the device even on a failed checksum.
A critical heap buffer overflow vulnerability was discovered and patched in firmware audio processing code, where a missing bounds validation before a `memcpy` operation could allow attackers to overflow a heap-allocated audio buffer and overwrite adjacent memory. This type of vulnerability is particularly dangerous in embedded firmware because it can lead to arbitrary code execution, system crashes, or complete device compromise. The fix adds proper bounds checking before the copy operation, en