MCUBoot Serial Recovery Stack Buffer Overflow Vulnerability

[michaelthomasj]

Issue

MCUBoot's serial recovery image upload handler (bs_upload in boot/boot_serial/src/boot_serial.c) contains a stack buffer overflow vulnerability when the target flash program alignment (flash_area_align(fap)) exceeds BOOT_MAX_ALIGN (8 bytes).

The handler uses a fixed 8-byte stack buffer (uint8_t wbs_aligned[BOOT_MAX_ALIGN]) to pad the final unaligned chunk during image uploads, but copies and writes lengths derived from the device's alignment without bounds checking. When flash_area_align(fap) > 8, this causes:

• Stack buffer overflow: memcpy(wbs_aligned, img_data, rem_bytes) copies rem_bytes (which can be > 8) into the 8-byte buffer
• Integer underflow in memset: memset(wbs_aligned + rem_bytes, ..., sizeof(wbs_aligned) - rem_bytes) underflows when rem_bytes > 8, causing massive stack overwrite
• Out-of-bounds read: flash_area_write(..., wbs_aligned, flash_area_align(fap)) reads beyond the 8-byte buffer
• Potential for arbitrary code execution or device crash depending on platform/toolchain protections

This vulnerability affects platforms where flash_area_align() returns values > 8, including:

• mbed OS ports (returns block device program size, often > 8)
• Cypress PSoC6 ports (returns CY_FLASH_SIZEOF_ROW, commonly 512 bytes)

The vulnerability is triggered when an attacker with access to the serial recovery interface uploads an image whose final chunk size produces a remainder > 8 bytes when divided by the flash alignment.

Workaround

Three approaches are available to address this vulnerability:

1. Apply code fix to bs_upload() by adding validation and proper buffer sizing:

   size_t align = flash_area_align(fap);
   if (align > BOOT_MAX_ALIGN) {
       // Either reject upload or allocate properly-sized buffer
       return MGMT_ERR_EINVAL ;
   }

And ensure rem_bytes <= align before copying to the tail buffer.

2. Disable serial recovery .

3. Restrict physical/logical access to the serial recovery interface.

Things we could do to but would be more time consuming dues to more code change:

• Replace fixed-size tail buffers with alignment-sized buffers
• Add compile-time assertions tying BOOT_MAX_ALIGN to maximum possible flash_area_align() for the target

Acknowledgement

Renesas would like to thank SecMate for responsibly reporting this vulnerability.

[nordicjm]

this issue doesn't make sense, it is a configurable value e.g.

mcuboot/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h

Line 137 in d9c2ba1

#define MCUBOOT_BOOT_MAX_ALIGN MYNEWT_VAL(MCU_FLASH_MIN_WRITE_SIZE)

and

mcuboot/boot/zephyr/include/mcuboot_config/mcuboot_config.h

Line 439 in d9c2ba1

#define MCUBOOT_BOOT_MAX_ALIGN CONFIG_MCUBOOT_BOOT_MAX_ALIGN

so if you don't adjust it to the correct size for a given flash device then sure it's going to overflow, because the configuration is incorrectly, likely you can't even upload to the device at all in that case