Message ID | 20221130082916.1443-1-hsimeliere.opensource@witekio.com |
---|---|
State | Accepted |
Commit | 14dc0ab138988a8e45ffa086444ec8db48b3f103 |
Delegated to: | Marek Vasut |
Headers | show |
Series | usb: gadget: dfu: Fix check of transfer direction | expand |
Adding Marek and Sultan On Wed, Nov 30, 2022 at 3:55 PM <hsimeliere.opensource@witekio.com> wrote: > > From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > > Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 > blocks DFU usb requests. > The verification of the transfer direction was done by an equality > but it is a bit mask. > > Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > --- > drivers/usb/gadget/f_dfu.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c > index 33ef62f8ba..44877df4ec 100644 > --- a/drivers/usb/gadget/f_dfu.c > +++ b/drivers/usb/gadget/f_dfu.c > @@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, > > switch (ctrl->bRequest) { > case USB_REQ_DFU_DNLOAD: > - if (ctrl->bRequestType == USB_DIR_OUT) { > + if (!(ctrl->bRequestType & USB_DIR_IN)) { > if (len == 0) { > f_dfu->dfu_state = DFU_STATE_dfuERROR; > value = RET_STALL; > @@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, > } > break; > case USB_REQ_DFU_UPLOAD: > - if (ctrl->bRequestType == USB_DIR_IN) { > + if (ctrl->bRequestType & USB_DIR_IN) { > f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; > f_dfu->blk_seq_num = 0; > value = handle_upload(req, len); > @@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, > > switch (ctrl->bRequest) { > case USB_REQ_DFU_DNLOAD: > - if (ctrl->bRequestType == USB_DIR_OUT) { > + if (!(ctrl->bRequestType & USB_DIR_IN)) { > f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; > f_dfu->blk_seq_num = w_value; > value = handle_dnload(gadget, len); > @@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, > > switch (ctrl->bRequest) { > case USB_REQ_DFU_UPLOAD: > - if (ctrl->bRequestType == USB_DIR_IN) { > + if (ctrl->bRequestType & USB_DIR_IN) { > /* state transition if less data then requested */ > f_dfu->blk_seq_num = w_value; > value = handle_upload(req, len); > -- > 2.25.1 >
On Wed, Nov 30, 2022 at 3:55 PM <hsimeliere.opensource@witekio.com> wrote: > > From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > > Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 > blocks DFU usb requests. > The verification of the transfer direction was done by an equality > but it is a bit mask. > > Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com> On Wed, Nov 30, 2022 at 2:02 PM Fabio Estevam <festevam@gmail.com> wrote: > On Wed, Nov 30, 2022 at 3:55 PM <hsimeliere.opensource@witekio.com> wrote: > > > > From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > > > > Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 > > blocks DFU usb requests. > > The verification of the transfer direction was done by an equality > > but it is a bit mask. > > > > Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > > Reviewed-by: Fabio Estevam <festevam@denx.de> >
On 11/30/22 19:58, Fabio Estevam wrote: > Adding Marek and Sultan > > On Wed, Nov 30, 2022 at 3:55 PM <hsimeliere.opensource@witekio.com> wrote: >> >> From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> >> >> Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 >> blocks DFU usb requests. >> The verification of the transfer direction was done by an equality >> but it is a bit mask. >> >> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Reviewed-by: Marek Vasut <marex@denx.de> Tested-by: Marek Vasut <marex@denx.de> Thanks !
Tested on Warp7 , thanks Tested-by: Joris Offouga <offougajoris@gmail.com> > Le 30 nov. 2022 à 19:55, hsimeliere.opensource@witekio.com a écrit : > > From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > > Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 > blocks DFU usb requests. > The verification of the transfer direction was done by an equality > but it is a bit mask. > > Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> > --- > drivers/usb/gadget/f_dfu.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c > index 33ef62f8ba..44877df4ec 100644 > --- a/drivers/usb/gadget/f_dfu.c > +++ b/drivers/usb/gadget/f_dfu.c > @@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, > > switch (ctrl->bRequest) { > case USB_REQ_DFU_DNLOAD: > - if (ctrl->bRequestType == USB_DIR_OUT) { > + if (!(ctrl->bRequestType & USB_DIR_IN)) { > if (len == 0) { > f_dfu->dfu_state = DFU_STATE_dfuERROR; > value = RET_STALL; > @@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, > } > break; > case USB_REQ_DFU_UPLOAD: > - if (ctrl->bRequestType == USB_DIR_IN) { > + if (ctrl->bRequestType & USB_DIR_IN) { > f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; > f_dfu->blk_seq_num = 0; > value = handle_upload(req, len); > @@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, > > switch (ctrl->bRequest) { > case USB_REQ_DFU_DNLOAD: > - if (ctrl->bRequestType == USB_DIR_OUT) { > + if (!(ctrl->bRequestType & USB_DIR_IN)) { > f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; > f_dfu->blk_seq_num = w_value; > value = handle_dnload(gadget, len); > @@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, > > switch (ctrl->bRequest) { > case USB_REQ_DFU_UPLOAD: > - if (ctrl->bRequestType == USB_DIR_IN) { > + if (ctrl->bRequestType & USB_DIR_IN) { > /* state transition if less data then requested */ > f_dfu->blk_seq_num = w_value; > value = handle_upload(req, len); > -- > 2.25.1 >
diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c index 33ef62f8ba..44877df4ec 100644 --- a/drivers/usb/gadget/f_dfu.c +++ b/drivers/usb/gadget/f_dfu.c @@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: - if (ctrl->bRequestType == USB_DIR_OUT) { + if (!(ctrl->bRequestType & USB_DIR_IN)) { if (len == 0) { f_dfu->dfu_state = DFU_STATE_dfuERROR; value = RET_STALL; @@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, } break; case USB_REQ_DFU_UPLOAD: - if (ctrl->bRequestType == USB_DIR_IN) { + if (ctrl->bRequestType & USB_DIR_IN) { f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; f_dfu->blk_seq_num = 0; value = handle_upload(req, len); @@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: - if (ctrl->bRequestType == USB_DIR_OUT) { + if (!(ctrl->bRequestType & USB_DIR_IN)) { f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; f_dfu->blk_seq_num = w_value; value = handle_dnload(gadget, len); @@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_UPLOAD: - if (ctrl->bRequestType == USB_DIR_IN) { + if (ctrl->bRequestType & USB_DIR_IN) { /* state transition if less data then requested */ f_dfu->blk_seq_num = w_value; value = handle_upload(req, len);