Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite Loop in STM32 SCSI Driver #69

Closed
maxeisele opened this issue Jun 27, 2022 · 3 comments
Closed

Infinite Loop in STM32 SCSI Driver #69

maxeisele opened this issue Jun 27, 2022 · 3 comments
Assignees
@ALABSTM
Labels
bug Something isn't working internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Projects
stm32cube-mcu-fw-dashboard
Milestone
v1.18.0

Comments

@maxeisele
Copy link

In function SCSI_ReadCapacity16 the variable idx is of type int8_t. It gets compared against the 32-Bit variable hmsc->bot_data_length that is controllable via the USB Request from outside.
If the value of that variable is greater than 255, the loop in line 383 can never meet its exit condition, resulting in an infinite loop.

The bug can be triggered by sending following command via an USB Bulk Write to the device running the affected STM32 USB Stack:
b"\x55\x53\x42\x43\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x9E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1F\x00\x00\x00"

For fixing, I suggest to change the type from idx to uint32_t.

In case you confirm this bug - could you assign a CVE number for it? I found this bug with a newly developed embedded fuzzing method that is yet to be released and CVE numbers give higher acceptance chances for scientific papers in the security testing community.

STM32CubeL4/Middlewares/ST/STM32_USB_Device_Library/Class/MSC/Src/usbd_msc_scsi.c

Line 383 in c5e83f3

for (idx = 0U; idx < hmsc->bot_data_length; idx++)

@ASELSTM ASELSTM self-assigned this Jul 13, 2022
@ASELSTM ASELSTM added bug Something isn't working internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system usb USB-related (host or device) issue or pull-request labels Jul 13, 2022
@ASELSTM ASELSTM moved this from To do to In progress in stm32cube-mcu-fw-dashboard Jul 13, 2022
@STMicroelectronics STMicroelectronics deleted a comment from ASELSTM Jul 13, 2022
@PierreLeCorre
Copy link

Thanks for reporting this issue. It is now managed by ST PSIRT team.

@PierreLeCorre PierreLeCorre removed the internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system label Jul 13, 2022
@ALABSTM ALABSTM self-assigned this Jul 27, 2022
@ALABSTM ALABSTM added the mw Middleware-related issue or pull-request. label Oct 13, 2023
@ALABSTM ALABSTM added the internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system label Dec 12, 2023
@ALABSTM
Copy link
Contributor

ALABSTM commented Dec 12, 2023

ST Internal Reference: 131746

@ALABSTM ALABSTM added this to the v1.18.0 milestone Dec 12, 2023
@ALABSTM
Copy link
Contributor

ALABSTM commented Dec 12, 2023

Hi @maxeisele,

Issue fixed in the frame of version 1.18.0, as you can see below. Thank you again for having reported.

STM32CubeL4/Middlewares/ST/STM32_USB_Device_Library/Class/MSC/Src/usbd_msc_scsi.c

Line 364 in 93f2cde

uint32_t idx;

With regards,

@ALABSTM ALABSTM closed this as completed Dec 12, 2023
stm32cube-mcu-fw-dashboard automation moved this from In progress to Done Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ALABSTM ALABSTM

Labels
bug Something isn't working internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Projects
stm32cube-mcu-fw-dashboard
  
Done
Milestone
v1.18.0
Development

No branches or pull requests
4 participants
@PierreLeCorre @ALABSTM @ASELSTM @maxeisele