Message ID | 20221108215851.27170-1-sultan.qasimkhan@nccgroup.com |
---|---|
State | Deferred |
Delegated to: | Fabio Estevam |
Headers | show |
Series | dfu: bounds check USB upload and download sizes | expand |
Hi Sultan, On Tue, Nov 8, 2022 at 9:22 PM Sultan Qasim Khan <sultanqasim@gmail.com> wrote: > > Also verify transfer directions match what is expected for the operation > type. Addresses memory corruption and disclosure vulnerability > CVE-2022-2347. > > Signed-off-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com> There was a submission already to fix this problem: https://lists.denx.de/pipermail/u-boot/2022-November/498977.html
Hi Fabio, Ah, sorry I missed that. This was on my todo list to patch as when I looked last week I didn’t see any patch for it. That patch you linked should also work to solve the issue. Best regards, Sultan Qasim Khan > On Nov 8, 2022, at 7:56 PM, Fabio Estevam <festevam@gmail.com> wrote: > > Hi Sultan, > > On Tue, Nov 8, 2022 at 9:22 PM Sultan Qasim Khan <sultanqasim@gmail.com> wrote: >> >> Also verify transfer directions match what is expected for the operation >> type. Addresses memory corruption and disclosure vulnerability >> CVE-2022-2347. >> >> Signed-off-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com> > > There was a submission already to fix this problem: > https://lists.denx.de/pipermail/u-boot/2022-November/498977.html
diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c index e9340ff5cb..4a7057c529 100644 --- a/drivers/usb/gadget/f_dfu.c +++ b/drivers/usb/gadget/f_dfu.c @@ -323,7 +323,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: - if (len == 0) { + if (len == 0 || len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) { f_dfu->dfu_state = DFU_STATE_dfuERROR; value = RET_STALL; break; @@ -333,6 +333,11 @@ static int state_dfu_idle(struct f_dfu *f_dfu, value = handle_dnload(gadget, len); break; case USB_REQ_DFU_UPLOAD: + if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) != USB_DIR_IN) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; + break; + } f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; f_dfu->blk_seq_num = 0; value = handle_upload(req, len); @@ -428,6 +433,11 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: + if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; + break; + } f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; f_dfu->blk_seq_num = w_value; value = handle_dnload(gadget, len); @@ -515,6 +525,11 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_UPLOAD: + if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) != USB_DIR_IN) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; + break; + } /* state transition if less data then requested */ f_dfu->blk_seq_num = w_value; value = handle_upload(req, len);
Also verify transfer directions match what is expected for the operation type. Addresses memory corruption and disclosure vulnerability CVE-2022-2347. Signed-off-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com> --- drivers/usb/gadget/f_dfu.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-)