Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0. Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue.
Apache NuttX RTOS is vulnerable to a Denial of Service (DoS) attack due to an invalid pointer dereference within its filesystem inode removal code. This vulnerability, triggered by crafted filesystem operations, can lead to system instability and potentially complete system failure for devices running vulnerable versions. Users with write access to filesystem-based services, especially those exposed over a network like FTP, are at the highest risk.
Step 1: Trigger Condition: A user with write access to a filesystem-based service (e.g., FTP) initiates a specific sequence of filesystem operations designed to exploit the vulnerability. This sequence likely involves creating, accessing, and then attempting to remove an inode under specific, potentially race-condition-inducing circumstances.
Step 2: Vulnerability Trigger: The crafted filesystem operation sequence triggers the fs_inoderemove function with the problematic inode.
Step 3: Pointer Dereference: The fs_inoderemove function, due to the logic flaw, releases an invalid pointer or reference.
Step 4: Memory Corruption: Subsequent code attempts to access the freed memory region, leading to a NULL pointer dereference or access to an invalid memory location.
Step 5: Denial of Service: The invalid memory access causes a system crash or other unexpected behavior, resulting in a Denial of Service (DoS).
The vulnerability lies within the fs_inoderemove function of the Apache NuttX RTOS. The root cause is a release of an invalid pointer or reference during the inode removal process. Specifically, the code fails to properly validate a pointer after a filesystem operation, potentially leading to a use-after-free scenario. This can occur when removing an inode under specific conditions, such as when the inode is still in use or when there are inconsistencies in the filesystem metadata. The subsequent access to the freed memory region results in a NULL pointer dereference or an attempt to access an invalid memory location, causing a crash or unexpected behavior. The debug assert, if enabled, would trigger first, but the default configuration disables this, leading directly to the memory corruption and DoS. The impact varies depending on the target architecture, potentially leading to different crash behaviors.