From patchwork Wed Nov 30 08:29:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: hsimeliere.opensource@witekio.com X-Patchwork-Id: 1710646 X-Patchwork-Delegate: marek.vasut@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=witekio.com header.i=@witekio.com header.a=rsa-sha256 header.s=selector2 header.b=mYrW1DCn; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NMpLV3x7kz23nT for ; Thu, 1 Dec 2022 05:55:28 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 309E8853BA; Wed, 30 Nov 2022 19:55:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=witekio.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=witekio.com header.i=@witekio.com header.b="mYrW1DCn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 46FCB852C4; Wed, 30 Nov 2022 09:30:12 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20611.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 81CEB85261 for ; Wed, 30 Nov 2022 09:30:03 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=witekio.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=hsimeliere@witekio.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cF6FoXFWhUm1m8X26u89NFEY71uTtalju8QOM3vTf2+BEoAINP44SYb957tZUr+eNBDcjUn3ixvkup959IWyHySD90H+GwWgiKd8xCzDou7rUPdPt1sAjO2nMZsXJsbyaO5YqX8zmnaKdUhgEiTCrWVBGXA+lqpxPQopL6K61Q/uz0IErcJnbqwB7faewZKCaIHgMYa2gUDGgZosvgyG+FP15d/22AK8KZVYfmvlvYEzVhX6lNa/MrZ2xXEQVLgSL0v/c2HJkCjQxEJB+MSCXAkiR7DuZ1GCwRbV2MB5Z845HFmBL0GluttDbK0sCu+r3CdITSdODzZogZYaML4eNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PjNVBmPJgupiDCF/Lx4h3jGuH9moRZCosf46nmotumM=; b=iIsHF1xU4pYoV5LJGiAWOgpTgxatCGQuc8D4AD3Z0JOfcPy0DyP/02PT/b93Kj1jc+7P+OeTjCoMmyCUkMDgbGR01EgROG/DCjLzhjthDlyjCOwH2NPfNTq0xdiiRiIYoAem6MoB3d+4qPWvh6f5NX+9HzIGmG6Vv+kpx7fUqjr8eGm5VmlDQvqEQejzdxB+NErm3m5CLoeiRA3P9t9Nk3aAdomf6Pj7yHVO3eQGkdomHjQ1obLCmwdZgjJtBWYoXtG7RvfI+EiCsnQFnGCPnap2ug8d09jP38uoLo/AlRio8MK8zs2AI5eCxie54yrkfmTNSftRc4dImbA5TsSC2Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PjNVBmPJgupiDCF/Lx4h3jGuH9moRZCosf46nmotumM=; b=mYrW1DCnw/eDQJWAkcdG02dw//cYOXIcNU0SFfP+VGfwXC8VVTYqWR4mLl9zOglyoeBmYk5e8VMcoiSLaGdi3tZqGTChCPWXGyya+amXC4bqhmcvJlMa0XcKsZ2frH/hY9MEZnj6l2zNyhtee/y4XZy/Xxgd9pflhlAlvCeq9pCCob/oo3kOMjnXwnvPy76J48YlKRAlOcxFUVirKsd2Hc9Z4YJsnETGni1tLt8Wu4g6UYpFbqzAq++daCWg6tyg0ZiYxvJRsSoeYJRyfIub2fTBHP+0tyyCOLwn1w2M1l8O+Y6LTmbaIg2AUnmSBaJqaYtCirUMy3DHgagjCsx7hw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from PR3P192MB0714.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:48::10) by AM8P192MB0882.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:1cb::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.23; Wed, 30 Nov 2022 08:29:55 +0000 Received: from PR3P192MB0714.EURP192.PROD.OUTLOOK.COM ([fe80::68d0:6364:64e3:f204]) by PR3P192MB0714.EURP192.PROD.OUTLOOK.COM ([fe80::68d0:6364:64e3:f204%9]) with mapi id 15.20.5857.023; Wed, 30 Nov 2022 08:29:55 +0000 From: hsimeliere.opensource@witekio.com To: u-boot@lists.denx.de Cc: Hugo SIMELIERE Subject: [PATCH] usb: gadget: dfu: Fix check of transfer direction Date: Wed, 30 Nov 2022 09:29:16 +0100 Message-Id: <20221130082916.1443-1-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: PR1P264CA0005.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:19e::10) To PR3P192MB0714.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:48::10) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PR3P192MB0714:EE_|AM8P192MB0882:EE_ X-MS-Office365-Filtering-Correlation-Id: 74d62a3a-030a-4d55-4249-08dad2ad0f21 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Cbq6J/7hejgIVSSuIadZFxpfoGMbXRya6Apiai7C9NElciWQzTVjiNffs61V/Qn7gbmNWKzPkpvpaa0QaImVVU+f7Z6tveP6tfVREigq+y6wWx3wVR5KKuFm5s+Xb1p3iS2S3/iJxk7ZCoho6nTmdr+DBQJ+S0ud0fp8cYocZN/jnqzGGYgc5mkoe87z6CSJHy1HGLWqASCe7wcuILegzuhlS82oZvjmYhsVAZOzClhiR2ZDO4fYYcyLL3ttUWWEayq/dRJVoVRHKY31KdB136zhLomUwWWGAM0IWn4OKoRXLP4kDUi9KV8w9XawSjL7kW0Y5+emYVji0m710bi5+X8wAfTXfDiF/65BSr/R6clYDspAdjHaAAjaYTkBFA+qehG/GcpBwRvnfgJgOjCRfyNzEArZWbZn/a3KwxrWNowGqMovLa876Ox7E011AzaHIzAZvyebyLkYmqBf8xQ4djGcsw5oFDLhlZE1H95vi+QrDF7pI328xdhMg3DJPaOgZsCmIF60xprB/4H9HMKURkm43m1GmauG4UA6EmhnEhkBbG+a8X38iRbYaLrNJxn/DkHSjfxGBgvHWsNINx3qdch4neEBAEPb7C1sWmQndT8lCGgDFOBMBaCiXQlOk9Pkx5vaPulZMzxji8HAqapqrcH0Cw4NeO4OPayLL40K4bgTATSPHlJL2lkh6lscjxsN X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PR3P192MB0714.EURP192.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(39850400004)(396003)(136003)(366004)(376002)(346002)(451199015)(83380400001)(2906002)(66556008)(41300700001)(8936002)(5660300002)(1076003)(4326008)(107886003)(9686003)(6512007)(52116002)(186003)(6506007)(6666004)(26005)(6486002)(316002)(8676002)(2616005)(38100700002)(66946007)(36756003)(6916009)(38350700002)(66476007)(478600001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: zQ0wqiFHdS/gmf2zj4axIvr1wZaxcPQNBOZVgC51RTq+kZuWuZe4eLRIuSZnzepU1ulK8N/HXWQPPbbkvVmbkqfy6tJNjpkrKzs8PnjzCcc6ZkC1pxepl6nWRAojJ3wWzPvaJijeL4Ssp61bEgfXgb64gF7T7KOdwfwj0T6hFeNx7sq1Jq83cqL1UpioZgp36Kp28QUNubw0g8i7gpMeqRsphz2vT9OqaRb1mETFmOJpM0Cq2/0OpEXtk+RvyDM+767ZouqL6BRwyp2+jrH7mlQUrJMP5jEuzEZvB1DB5CyZskpXMY3u2BLaVuOCYiBTyN/zEuwAZi6KV3OcNwHtEjEbAc29NKgxApFl8K96UUEc0bfaO6V3yUOuEVnLaTZ41S+v3EGeHtgqvhIc5EBAedarYpLfgYPuZ8YIKTVHn7ebIHfWmZmFiDn0OwrMb8zR+mv24krqVb/DsI/b9c/PU088O1RH0Pqiqzv9Of/9up4KEnF0F3pd3v7cRtiLxIdQgkpXouI6fMyMf/miavqKFgMyi6j9XtfIVVgh5VOZXDkUIQpKwWzCHBTH2qbMWLEJB4N/YzqiEIxx2B7zeeloHIjxvDg37ZHWDbDTxMg2wziRDFlhkSU27rRVN/vusR92FnggsYaThbNGFblEDvpNPFy1k2RUKw8gxlJV6kgBTjw/xkCMYnxC4xQX9BOTJuFDapXFp7dEgFx1IUe+PgGQzB8wMnIB8tzBPkpTtXfN4KJbzVg05lOyZZcHQQwTSLKjQb9ecL+/jSOIVBGLEBOy7IwlURFbXOoL2d0LFCUTRaMNE2W2tRX01JnRRJoTwECXwvOU+wG8ngSYW8aQg1M5+Mpe1z4Vzm4f4/aEjIsR7hNUHaLsKu+QAH7f3qh4kKmhSsd8Q8wFNlwL+op7g/DziTHrvO8NI636HIQFTOcmPy1Kdv6DyG1YBFF15MSAzaKOqRx9AxFdOucJGd+DOaUc6ov0rNWYx6HiF8UhMg9rBObKHbYSqTwQnpYEIO6PTYMT3qEuWIgyqXMlsoBsIc0gylXIJVp47JsLDh/L/RhsLJJaFy+Jx2XI9uvo2qI4EOiIYmQ1cbjW3PeMB0FUqdq1zlnC9/V+bwonlRkQGcTLv2P+utCItzrG0dZZmO+UJ9HTL23ek3esS2jGWtsr0Nt9abI5WVDH9+9w4LnJCEuTVCA9IgskWQAE387K7WNVA5t11SdO5od6UbjWtF7OSrb9fJIvlGalDm9msUxQbrhYVhom1izEH6SRrEl8a4s7FWxy8H7s74tw4SW1wyR8vL6BUiVAGFajtoi4vFhte0JwseIkG+bs7IjvHmTS6+4R8AbGjLLfX9iZ+WRWUyJKgx73czrEQ7ubmEuFQdcb825oD4VKzXRXtxTFr2Bp0ZPNy+Qqs3nmNKTYmQEIXP0eyvTRIpzjx3+ZQ7hm21x9i2hhvE1ZeGxd1s0nge9dMkzzRFjlayyMxNsEP09P+Anclsqafr4tR00tYG1pyy/DtI3JZigfHsopf7qZ5WL/UMHZ8Oih/H4wVLoRnJ1co8Ay6cpLC4B4IRm0W0ZMenDVunwcWrXtpz150qq3F9W9peLvaUPSv3nnQRftk8WW7n4SwqqXJA== X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 74d62a3a-030a-4d55-4249-08dad2ad0f21 X-MS-Exchange-CrossTenant-AuthSource: PR3P192MB0714.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Nov 2022 08:29:55.2765 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kFnOraz+LL4CyA3LIedvNv1B9o4A1zlfXYO2SwpT25nAF+iDc5h/Ibq4ua0aVX6ZbkJM9RjTLmZPA4BQc+bPRw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P192MB0882 X-Mailman-Approved-At: Wed, 30 Nov 2022 19:55:15 +0100 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean From: Hugo SIMELIERE Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347 blocks DFU usb requests. The verification of the transfer direction was done by an equality but it is a bit mask. Signed-off-by: Hugo SIMELIERE Reviewed-by: Fabio Estevam Reviewed-by: Sultan Qasim Khan Reviewed-by: Marek Vasut Tested-by: Marek Vasut Tested-by: Joris Offouga --- drivers/usb/gadget/f_dfu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c index 33ef62f8ba..44877df4ec 100644 --- a/drivers/usb/gadget/f_dfu.c +++ b/drivers/usb/gadget/f_dfu.c @@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: - if (ctrl->bRequestType == USB_DIR_OUT) { + if (!(ctrl->bRequestType & USB_DIR_IN)) { if (len == 0) { f_dfu->dfu_state = DFU_STATE_dfuERROR; value = RET_STALL; @@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, } break; case USB_REQ_DFU_UPLOAD: - if (ctrl->bRequestType == USB_DIR_IN) { + if (ctrl->bRequestType & USB_DIR_IN) { f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; f_dfu->blk_seq_num = 0; value = handle_upload(req, len); @@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: - if (ctrl->bRequestType == USB_DIR_OUT) { + if (!(ctrl->bRequestType & USB_DIR_IN)) { f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; f_dfu->blk_seq_num = w_value; value = handle_dnload(gadget, len); @@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_UPLOAD: - if (ctrl->bRequestType == USB_DIR_IN) { + if (ctrl->bRequestType & USB_DIR_IN) { /* state transition if less data then requested */ f_dfu->blk_seq_num = w_value; value = handle_upload(req, len);