diff mbox series

dfu: bounds check USB upload and download sizes

Message ID 20221108215851.27170-1-sultan.qasimkhan@nccgroup.com
State Deferred
Delegated to: Fabio Estevam
Headers show
Series dfu: bounds check USB upload and download sizes | expand

Commit Message

Sultan Khan Nov. 8, 2022, 9:58 p.m. UTC 
Also verify transfer directions match what is expected for the operation
type. Addresses memory corruption and disclosure vulnerability
CVE-2022-2347.

Signed-off-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
---
 drivers/usb/gadget/f_dfu.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

Comments

Fabio Estevam Nov. 9, 2022, 12:56 a.m. UTC | #1 
Hi Sultan,

On Tue, Nov 8, 2022 at 9:22 PM Sultan Qasim Khan <sultanqasim@gmail.com> wrote:
>
> Also verify transfer directions match what is expected for the operation
> type. Addresses memory corruption and disclosure vulnerability
> CVE-2022-2347.
>
> Signed-off-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>

There was a submission already to fix this problem:
https://lists.denx.de/pipermail/u-boot/2022-November/498977.html
Sultan Khan Nov. 9, 2022, 1:02 a.m. UTC | #2 
Hi Fabio,

Ah, sorry I missed that. This was on my todo list to patch as when I looked last week I didn’t see any patch for it. That patch you linked should also work to solve the issue.

Best regards,
Sultan Qasim Khan

> On Nov 8, 2022, at 7:56 PM, Fabio Estevam <festevam@gmail.com> wrote:
> 
> Hi Sultan,
> 
> On Tue, Nov 8, 2022 at 9:22 PM Sultan Qasim Khan <sultanqasim@gmail.com> wrote:
>> 
>> Also verify transfer directions match what is expected for the operation
>> type. Addresses memory corruption and disclosure vulnerability
>> CVE-2022-2347.
>> 
>> Signed-off-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
> 
> There was a submission already to fix this problem:
> https://lists.denx.de/pipermail/u-boot/2022-November/498977.html
diff mbox series

Patch

diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
index e9340ff5cb..4a7057c529 100644
--- a/drivers/usb/gadget/f_dfu.c
+++ b/drivers/usb/gadget/f_dfu.c
@@ -323,7 +323,7 @@  static int state_dfu_idle(struct f_dfu *f_dfu,
 
 	switch (ctrl->bRequest) {
 	case USB_REQ_DFU_DNLOAD:
-		if (len == 0) {
+		if (len == 0 || len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) {
 			f_dfu->dfu_state = DFU_STATE_dfuERROR;
 			value = RET_STALL;
 			break;
@@ -333,6 +333,11 @@  static int state_dfu_idle(struct f_dfu *f_dfu,
 		value = handle_dnload(gadget, len);
 		break;
 	case USB_REQ_DFU_UPLOAD:
+		if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) != USB_DIR_IN) {
+			f_dfu->dfu_state = DFU_STATE_dfuERROR;
+			value = RET_STALL;
+			break;
+		}
 		f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
 		f_dfu->blk_seq_num = 0;
 		value = handle_upload(req, len);
@@ -428,6 +433,11 @@  static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
 
 	switch (ctrl->bRequest) {
 	case USB_REQ_DFU_DNLOAD:
+		if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) {
+			f_dfu->dfu_state = DFU_STATE_dfuERROR;
+			value = RET_STALL;
+			break;
+		}
 		f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
 		f_dfu->blk_seq_num = w_value;
 		value = handle_dnload(gadget, len);
@@ -515,6 +525,11 @@  static int state_dfu_upload_idle(struct f_dfu *f_dfu,
 
 	switch (ctrl->bRequest) {
 	case USB_REQ_DFU_UPLOAD:
+		if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) != USB_DIR_IN) {
+			f_dfu->dfu_state = DFU_STATE_dfuERROR;
+			value = RET_STALL;
+			break;
+		}
 		/* state transition if less data then requested */
 		f_dfu->blk_seq_num = w_value;
 		value = handle_upload(req, len);