Impact

• Zephyr offers pre-built 'malloc' wrapper function instead.
• The 'malloc' function is wrapper for the 'sys_mem_pool_alloc' function
• sys_mem_pool_alloc allocates 'size + WB_UP(sizeof(struct sys_mem_pool_block))' in an unsafe manner.
• Asking for very large size values leads to internal integer wrap-around.
• Integer wrap-around leads to successful allocation of very small memory.
• For example: calling malloc(0xffffffff) leads to succesful allocation of 7 bytes.
• That leads to heap overflow.

Patches

This has been fixed in:

• v2.4: #31796
• v1.14: #32808

For more information

If you have any questions or comments about this advisory:

• Open an issue in zephyr
• Email us at Zephyr-vulnerabilities

embargo: 2020-03-23
zepsec: ZEPSEC-111