Infinite Loop in STM32 SCSI Driver #69
Labels
bug
Something isn't working
internal bug tracker
Issue confirmed and reported into a ticket in the internal bug tracking system
mw
Middleware-related issue or pull-request.
usb
USB-related (host or device) issue or pull-request
Projects
Milestone
In function
SCSI_ReadCapacity16
the variableidx
is of type int8_t. It gets compared against the 32-Bit variablehmsc->bot_data_length
that is controllable via the USB Request from outside.If the value of that variable is greater than 255, the loop in line 383 can never meet its exit condition, resulting in an infinite loop.
The bug can be triggered by sending following command via an USB Bulk Write to the device running the affected STM32 USB Stack:
b"\x55\x53\x42\x43\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x9E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1F\x00\x00\x00"
For fixing, I suggest to change the type from
idx
to uint32_t.In case you confirm this bug - could you assign a CVE number for it? I found this bug with a newly developed embedded fuzzing method that is yet to be released and CVE numbers give higher acceptance chances for scientific papers in the security testing community.
STM32CubeL4/Middlewares/ST/STM32_USB_Device_Library/Class/MSC/Src/usbd_msc_scsi.c
Line 383 in c5e83f3
The text was updated successfully, but these errors were encountered: