[Bug] heap out-of-bounds write in HID report descriptor parser #11262
Description
RT-Thread Version
master (verified on commit 6a635e32d9f39ea015824927cee492620a05212f)
Hardware Type/Architectures
Any BSP enabling CherryUSB host HID support
Develop Toolchain
GCC
Describe the bug
Affected Component
| Field | Detail |
|---|---|
| File | components/drivers/usb/cherryusb/class/hid/usbh_hid.c |
| Function | struct hid_report *usbh_hid_report_parse(const uint8_t *data, uint32_t report_len, uint32_t max_usages) |
Vulnerability Description
A heap out-of-bounds write vulnerability exists in the CherryUSB HID report descriptor parser.
The function allocates a temporary usages array using the caller-provided max_usages value:
usages = usb_osal_malloc(sizeof(uint32_t) * max_usages);However, parsed usages are appended without any upper-bound check:
usages[field.usage_count++] = usage;Additionally, USAGE_MIN .. USAGE_MAX ranges are expanded in a loop without checking whether field.usage_count has already reached max_usages:
for (uint32_t j = usage_min; j <= usage_max; j++) {
usages[field.usage_count++] = j;
}A crafted HID report descriptor containing too many USAGE items, or a large USAGE_MIN .. USAGE_MAX range, can overflow the heap buffer backing usages.
Impact & Amplification
The corrupted usage_count is subsequently reused in further allocations and memory copies, which can amplify the corruption:
hid_report->input_fields[...].usages = usb_osal_malloc(sizeof(uint32_t) * field.usage_count);
memcpy(hid_report->input_fields[...].usages, usages, sizeof(uint32_t) * field.usage_count);Reachability Analysis
Specifically:
- The parser is directly invoked only from the local helper path in
lshid(). - The default weak
usbh_hid_run()implementation does nothing. - Existing in-tree
usbh_hid_run()overrides do not callusbh_hid_report_parse().
Therefore, in stock upstream master, this issue does not appear to be a zero-click remote vulnerability.
However, it remains a real memory-safety bug in a public parser API. Any product or downstream integration that automatically parses attacker-controlled HID report descriptors using usbh_hid_report_parse() may be vulnerable to a malicious USB HID device.
Suggested Fix
Add a strict upper-bound check before every append into usages:
if (field.usage_count >= max_usages) {
goto err;
}
usages[field.usage_count++] = usage;Apply the same guard inside the USAGE_MIN .. USAGE_MAX expansion loop.
Additionally, it would be safer to reject obviously unreasonable descriptor-derived usage counts before allocating or copying follow-up buffers.
Please let us know if you intend to request a CVE ID upon confirmation of this vulnerability.
Other additional context
No response