Earlier this year the Microsoft IoT Security research group discovered a series of memory allocation vulnerabilities in various IoT software including Mbed OS.

Arm believes that security is fundamental to IoT and we work across the industry to promote security standards like the Platform Security Architecture. When we are notified of any security vulnerabilities, we take them very seriously and quickly concentrate efforts on providing fixes as swiftly as we can.

In this instance, we issued a patch to our Mbed partners that allowed them to provide this to any customers who were impacted, and we released the patch in both Mbed OS 5.15.7 and 6.9.

Microsoft have now publicly disclosed the vulnerability and as part of our commitment to IoT security, we publish the details of it and the changes made to Mbed to address it.

We'd like to thank Lingkai Dong, Senior Software Engineer in the Mbed team, who has done a superb job of addressing this issue and who wrote the detailed explanation below.

Vulnerability

Mbed OS has a heap statistics feature which is enabled by setting “platform.heap-stats-enabled”: true in an application or library’s configuration JSON, or defining the macro MBED_HEAP_STATS_ENABLED=1. To support this feature, Mbed OS overrides the default dynamic allocation function, void *malloc(size_t size). When heap statistics are enabled, dynamic allocations have an extra sizeof(alloc_info_t) added to the requested size, in order to keep track of the size and signature of the current allocation.

However, if size + sizeof(alloc_info_t) exceeds the maximum value representable by size_t, an integer overflow occurs and only a small amount of the requested memory is allocated from the heap. The allocation appears successful to the caller because malloc returns the pointer to the incorrectly-sized buffer. When the caller goes on to use the buffer as if it is rightly sized, memory outside the allocated range can be accessed.

Impact

This vulnerability impacts any single allocation which size is very close to the maximum size_t. Multiple small allocations are not affected. If any dynamic allocation size depends on any run-time inputs that are not size-checked, an attacker may be able to trigger this vulnerability to access data outside the allocated memory. If the memory is only visible to the system itself, the attack may still trigger a crash or malfunction when an incorrect region of memory is accessed. If all dynamic allocations are either fixed in size or variable sized but (by code logic) never close to the maximum size_t, the system is safe from this vulnerability.

Resolution

Affected users should upgrade to one of the most recent Mbed OS versions, including version 6.9, 5.15.7 or newer. They contain the following fixes:

• Mbed OS 6.9 https://github.com/ARMmbed/mbed-os/pull/14407
• Mbed OS 5.15.7 https://github.com/ARMmbed/mbed-os/pull/14408

In cases where updating Mbed OS is not possible, we recommend back-porting the fix to your local version of Mbed OS, or performing size checks before dynamic allocations whose sizes depend on external inputs.