[SECURITY] DoS via Invalid Memory Access in cFS CS Application

[k-spacesec]

1. Describe the bug

A Denial of Service (DoS) vulnerability exists in the Checksum (CS) application of the NASA core Flight System (cFS). The issue stems from insufficient memory address validation in the CS_OneShotCmd() function.

While the application uses CFE_PSP_MemValidateRange() to check user-supplied addresses, this function may return CFE_SUCCESS for non-existent or invalid memory regions depending on the PSP implementation. Consequently, the child task CS_OneShotChildTask() attempts to calculate a CRC on an invalid pointer, leading to a Segmentation Fault and the abnormal termination of the CS application.

2. System observed on

Hardware: x86_64 / ARM (Generic)
OS: Linux
Versions: cFE (core Flight Executive) & CS Application (Latest versions)
Component: Checksum (CS) Application

3. Vulnerability Analysis

3.1. Technical Details

The vulnerability occurs during the processing of a "OneShot" checksum command.

1. Inadequate Validation: In CS_OneShotCmd(), the payload address and size are validated using CFE_PSP_MemValidateRange(). In many environments, this function lacks strict boundary checks for the entire physical/virtual memory map.

2. Pointer Dereference in Child Task: The validated (but actually invalid) address is stored in CS_AppData.HkPacket.Payload.LastOneShotAddress and passed to the child task.
3. The Crash: Inside CS_OneShotChildTask(), the function calls CFE_ES_CalculateCRC() with the unverified address. When CFE_ES_CalculateCRC() attempts to read from this memory location, the system triggers a segmentation fault.

3.2. Code Snippets

Location: CS_OneShotCmd()

void CS_OneShotCmd(const CS_OneShotCmd_t *CmdPtr)
{
    CFE_Status_t Status;
    /* Insufficient validation: returns CFE_SUCCESS for some invalid addresses */
    Status = CFE_PSP_MemValidateRange(CmdPtr->Payload.Address, CmdPtr->Payload.Size, CFE_PSP_MEM_ANY);

    if (Status == CFE_SUCCESS) {
        /* Proceed to spawn child task with invalid Address */
    }
}

Location: CS_OneShotChildTask()

void CS_OneShotChildTask(void)
{
    cpuaddr FirstAddrThisCycle = CS_AppData.HkPacket.Payload.LastOneShotAddress;
    
    // ...
    /* CRASH: Direct memory access to invalid FirstAddrThisCycle */
    NewChecksumValue = CFE_ES_CalculateCRC((void *)(FirstAddrThisCycle), 
                                           NumBytesThisCycle, 
                                           NewChecksumValue,
                                           CS_DEFAULT_ALGORITHM);
    // ...
}

4. To Reproduce (PoC)

1. Preparation: Deploy the cFS framework with the CS application enabled.
2. Craft Packet: Create a CS_OneShotCmd ground command packet.
3. Inject Payload: Set the Address field to a known non-mapped memory address (e.g., 0xDEADBEEF) and a valid Size (e.g., 100).
4. Send Command: Dispatch the command to the cFS software bus.
5. Observe: The CS child task will trigger a Segmentation Fault, causing the CS application to crash or the OS to terminate the process.

5. Expected behavior

The CS_OneShotCmd() should perform a more rigorous check against the actual available memory map. If an address is outside the permitted operational memory range, the command should be rejected with an error telemetry packet, and no child task should be spawned.

6. Mitigation & Recommendations

• Enhanced PSP Validation: Strengthen the logic within CFE_PSP_MemValidateRange() to strictly adhere to the specific hardware's memory map.
• Application-Level Bounds Checking: Implement a secondary check within the CS application that compares the requested address against a "Safe Memory Table" defined for the specific mission.
• Error Handling: Implement robust exception handling or memory access guards (if supported by the OSAL/PSP) within the CRC calculation loop to prevent a full application crash.

Reporter Info
Space Cybersecurity Council

[Shrey-N]

Proposed Fix

I have reproduced this DoS vulnerability locally in a Linux environment.

• Operating System: Ubuntu 22.04 LTS (x86_64)
• Framework: NASA core Flight System (cFS) / cFE (Latest Release)
• Target Platform: pc-linux
• Toolchain: Native gcc (version 11.4.0)

Mechanism:-

Bypass: The pc-linux implementation of CFE_PSP_MemValidateRange() frequently returns CFE_SUCCESS for user space addresses because it lacks a strict hardware backed memory map.
Trigger: Sending a CS_OneShotCmd with an unmapped address bypasses the initial PSP check.
Result: The child task attempts to dereference the pointer via CFE_ES_CalculateCRC(), resulting in a SIGSEGV which terminates the entire application.

My Analysis:

The issue is a "Defense in Depth" failure. The current implementation of CS_OneShotCmd relies exclusively on CFE_PSP_MemValidateRange. On many platforms, this check is not strict enough to guarantee that an address is actually mapped or safe to read. This allows unmapped addresses to be passed into the CS_OneShotChildTask.

When the child task calls CFE_ES_CalculateCRC, it attempts to dereference the invalid pointer, triggering a SIGSEGV and causing an abnormal termination of the CS application.

I have am implementing a fix that would introduce a secondary, application level validation layer before any child task is spawned:

1. Utility: Creats CS_VerifyAddressRange to validate requested memory ranges against the application's own configuration. This includes the cFE Core text segment, the OS text segment, and any entries already registered in the active Memory or EEPROM tables.
2. OneShot Flow: Modifying CS_OneShotCmd in cs_cmds.c to perform this secondary check. If the requested range falls outside permitted operational regions, the command is rejected, a new event ID (CS_ONESHOT_MEMRANGE_ERR_EID) is issued, and the command error counter is incremented.
3. Prevention: By catching the invalid address in the main task, we can prevent the creation of the child task and avoid the prohibited memory access entirely.

I am finalizing the tests for this logic and will submit a Pull Request shortly @k-spacesec.