ARM mbed Integer Overflow or Wraparound

Vulnerability

ARM mbed OS version 6.3.0 is vulnerable to an integer wrap-around (integer overflow) in the malloc_wrapper function. The vulnerability occurs when the combined size of the requested buffer and the internal alloc_info_t structure exceeds the maximum value representable by a size_t. This can lead to an unexpected small allocation, potentially resulting in a buffer overflow or other memory corruption [1].

Exploitation

An attacker can trigger this vulnerability by passing a crafted size value to malloc_wrapper that, when added to alloc_info_t, wraps around to a small positive value. No authentication or special network position is required if an attacker can control allocation sizes through other exposed interfaces (e.g., by providing large input lengths). The attacker would need to interact with the system in a way that causes the vulnerable code path to be reached.

Impact

Successful exploitation could lead to arbitrary memory allocation, unexpected behavior such as a crash (denial of service), or potentially remote code injection/execution depending on how the allocated memory is used. The attacker might be able to corrupt adjacent heap metadata or data, leading to further compromise [1].

Mitigation

The fix is provided in Pull Request #14408 on the mbed-os GitHub repository, which adds an explicit integer overflow check before performing the size calculation [1]. Users should update to a version of ARM mbed OS that includes this fix. As of the publication date (2022-05-03), no CVE listing on the KEV was indicated, and the patch was available in the repository. If updating is not possible, review and sanitize all sizes passed to memory allocation functions.