Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No validity chekcing on the variable dev_desc->bMaxPacketSize #75

Closed
TheSilentDawn opened this issue Oct 14, 2020 · 12 comments
Closed

No validity chekcing on the variable dev_desc->bMaxPacketSize #75

TheSilentDawn opened this issue Oct 14, 2020 · 12 comments
Assignees
Labels
enhancement New feature or request internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Milestone

Comments

@TheSilentDawn
Copy link

TheSilentDawn commented Oct 14, 2020

Describe the set-up

  • Software:
    • STM32Cube MCU & MPU Packages
  • Version:
    • STM32Cube_FW_H7_V1.8.0
  • Verification Hardware Platform:
    • STM32H7B3

Describe the bug

  • Function:

    • static void USBH_ParseDevDesc(USBH_DevDescTypeDef *dev_desc, uint8_t *buf, uint16_t length)
  • Location:

  • Type:

    • Denial-of-Service.
  • Result:

    • A malformed USB device packet may cause the system to hang when it tries to communicate with the outside world.
  • Description:

    • The function USBH_ParseDevDesc() parses the device descriptor by input data from a USB device.
    • The valid max packet size of the device descriptor should be 8, 16, 32, and 64 as USB specification required. However, the function USBH_ParseDevDesc() doesn’t check the value of dev_desc->bMaxPacketSize as shown in
      dev_desc->bMaxPacketSize = *(uint8_t *)(buf + 7);
      . The variable dev_desc->bMaxPacketSize will be used as the size to construct the control pipe between host and device as shown in
      phost->Control.pipe_size = phost->device.DevDesc.bMaxPacketSize;
      . If bMaxPacketSize is zero, the firmware will get the error status USBH_FAIL in the function USBH_HandleControl() called by the function USBH_CtlReq() when trying to communicate with the outside world by IN and OUT pipe in the future and the host will try to re-enumerate. This process will loop again and again.

How To Reproduce

  1. Running MSC_Standalone application on the STM32H7B3I platform

  2. Plug a USB disk

  3. Use the attached Bug1.txt to replace the USB device packet. Bug1.txt

Additional context

  • To patch it, the program should check if dev_desc->bMaxPacketSize is equal to 8, 16, 32 or 64. At least, it should be greater than zero.
@TheSilentDawn TheSilentDawn changed the title No validity chekcing on dev_desc->bMaxPacketSize No validity chekcing on the variable dev_desc->bMaxPacketSize Oct 14, 2020
@ALABSTM ALABSTM added the mw Middleware-related issue or pull-request. label Nov 2, 2020
@ALABSTM ALABSTM self-assigned this Nov 2, 2020
@ALABSTM
Copy link
Contributor

ALABSTM commented Nov 24, 2020

Hi @TheSilentDawn,

Thank you for your interest in our products and software solutions. Thank you also for this report and for all the other ones. They will be transmitted to our development teams for analysis.

However, may I first ask you whether these cases you are reporting (or at least some of them) are real error cases you faced while using our library or simulated test cases you designed based on a code review? Thank you in advance for your answer.

With regards,

@ALABSTM ALABSTM added the enhancement New feature or request label Nov 24, 2020
@TheSilentDawn
Copy link
Author

TheSilentDawn commented Nov 25, 2020

Hi, @ALABSTM,
All the vulnerabilities reported are discovered by the research work of our team. We are building an automatic method to find the bugs. And all the testcases are checked manually before reporting to make sure it could be leveraged by the attackers. Also, these vulnerabilities could be patched as described in the Addition context part. Could you please share an email? When our paper is ready for submission, I will let you know and share the draft with you asap. Thanks for your help.^_^

@ALABSTM
Copy link
Contributor

ALABSTM commented Dec 2, 2020

Hi @TheSilentDawn,

Thank you for your contribution. All the reports you sent will be forwarded to our development teams. I will get back to you as soon as they provide me with their feedback.

Thank you again for your contribution and thank you in advance for your patience.

With regards,

@ALABSTM ALABSTM moved this from To do to Assigned in stm32cube-mcu-fw-dashboard Dec 2, 2020
@ALABSTM ALABSTM added the usb USB-related (host or device) issue or pull-request label Jan 18, 2021
@ALABSTM
Copy link
Contributor

ALABSTM commented Jan 18, 2021

Hi @TheSilentDawn,

I hope you are doing well. Our technical committee discussed the several points you reported. Actions will be taken to make the necessary updates. I will keep you informed.

Any news or progress from your side? Thank you for your answer and thank you once more for your contribution.

With regards,

@ALABSTM ALABSTM moved this from Assigned to In progress in stm32cube-mcu-fw-dashboard Jan 18, 2021
@ALABSTM ALABSTM added the internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system label Jan 18, 2021
@ALABSTM
Copy link
Contributor

ALABSTM commented Jan 18, 2021

ST Internal Reference: 99173

@ALABSTM ALABSTM added this to the v1.10.0 milestone Feb 22, 2021
@ALABSTM ALABSTM moved this from In progress to To release in stm32cube-mcu-fw-dashboard Feb 22, 2021
@TheSilentDawn
Copy link
Author

TheSilentDawn commented May 31, 2021

@ALABSTM @CCASTM @Tombana @RKOUSTM
Hello Sir/Madam,

I'm a Ph.D. student from the University of Chinese Academy of Sciences and the University of Georgia. We are working on a fuzzing tool for automatic bug discovery. In the past year, I have reported several bugs that influence the MCU product line of STMicroelectronics. Some other STMicroelectronics engineers and your team have confirmed with us and the reported bugs have been patched. Currently, we are working on a research paper that systematically describes our new method. I wonder if your team can help apply for CVE IDs for these bugs so that we can refer to these CVE IDs and state our responsible disclosure with confidence.

Thanks for your help. If you want, we can also send you a draft of our paper before submission so that you can check whether the wording is appropriate. Below is a list of relevant bugs we reported.

[STM PLC]
https://community.st.com/s/question/0D53W00000BKF70SAH/stmplc-bug1
https://community.st.com/s/question/0D53W00000BKF7PSAX/stmplc-bug2
https://community.st.com/s/question/0D53W00000BKF7QSAX/stmplc-bug3
https://community.st.com/s/question/0D53W00000BKF8rSAH/stmplc-bug4
https://community.st.com/s/question/0D53W00000BKF8sSAH/stmplc-bug5
https://community.st.com/s/question/0D53W00000BKF9uSAH/stmplc-bug6
https://community.st.com/s/question/0D53W00000BKGAMSA5/stmplc-bug7
https://community.st.com/s/question/0D53W00000BKGANSA5/stmplc-bug8
https://community.st.com/s/question/0D53W00000BKGJWSA5/stmplc-bug9
[STM32 SDK USB Driver]
#75
#76
#77
#78
#79
#80
#81
#82
#83
#84

We look forwards to your reply.

Sincerely,
Wenqiang Li
Email: wenqiang-li@outlook.com, liwenqiang@iie.ac.cn

@ALABSTM
Copy link
Contributor

ALABSTM commented Jun 22, 2021

Hello @TheSilentDawn,

You request will be reported to our development team to see whether it is possible to address it. However, as the PLC-related list of posts on the ST Community has not been confirmed yet, I can only formulate the request for the USB-related list you reported on this repository. I will keep you informed should there be any news.

Please try to contact the ST Community administrators to ask for a feedback about the PLC-related list of potential vulnerabilities.

With regards,

@TheSilentDawn
Copy link
Author

TheSilentDawn commented Jun 22, 2021

Hi @ALABSTM ,
Thanks for your help and advice.

@TheSilentDawn
Copy link
Author

TheSilentDawn commented Oct 20, 2021

Hi @ALABSTM
How about the CVE requesting process? Our research paper needs CVE ID support.
And we find more bugs in the STM32 MCU package. Should we report it here or email them to you?

@CHAMSTM
Copy link

CHAMSTM commented Nov 15, 2021

Hi @ALABSTM How about the CVE requesting process? Our research paper needs CVE ID support. And we find more bugs in the STM32 MCU package. Should we report it here or email them to you?

Hello,
Our Security Support team is trying to create CVE IDs and will share them asap.

Kind Regards,

@CHAMSTM
Copy link

CHAMSTM commented Nov 15, 2021

Issue fixed in USB Host V3.4.0

@ALABSTM
Copy link
Contributor

ALABSTM commented Mar 14, 2022

Hi @TheSilentDawn,

Hope you're fine. Just to inform you the fix has been published in the frame of v1.10.0 release.

With regards,

@ALABSTM ALABSTM closed this as completed Mar 14, 2022
stm32cube-mcu-fw-dashboard automation moved this from To release to Done Mar 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Projects
Development

No branches or pull requests

3 participants