Security Researchers at Cisco
The vulnerability can be exploited to execute code in a situation where an attacker can organize the formation of a negative value of the variable through which the size of the copied data is passed (for example, a minus value will occur when transferring more than 2 GB of data, but during the attack, to go beyond the buffer, you need to pass at least 4GB). The memcpy() function is heavily used in applications, and ARMv7 processors are common in automotive systems, mobile, industrial, consumer, communication and embedded devices, which can potentially become targets of attacks using Bluetooth, HD Radio/DAB, USB, CAN bus, Wi-Fi. Fi and other external data sources (for example, network-accessible services and applications that accept input data with no size limit can be attacked).
An example is the creation of a working exploit to attack an http server built into automotive information systems, accessible via a car Wi-Fi network. A rogue attacker could exploit a vulnerability in memcpy on a given server by sending a very large GET request and gaining root access to the system.
On 32-bit x86 systems, the problem does not appear, since the implementation of memcpy for this architecture correctly interprets the variable with size as an unsigned integer value with type size_t (in assembly language
The fix comes down to replacing the use of assembler instructions that operate on signed operands (bge and blt) with unsigned counterparts (blo and bhs).
The problem has not yet been fixed in
Source: opennet.ru