Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix buffer overflow #4

Merged
merged 2 commits into from Mar 29, 2023
Merged

Conversation

Defonceuse
Copy link
Contributor

In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.

IMPORTANT INFORMATION

Contributor License Agreement (CLA)

  • The Pull Request feature will be considered by STMicroelectronics after the signature of a Contributor License Agreement (CLA) by the submitter.
  • If you did not sign such agreement, please follow the steps mentioned in the CONTRIBUTING.md file.

In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.
@ALABSTM ALABSTM self-assigned this Feb 7, 2022
@ALABSTM ALABSTM linked an issue Feb 28, 2022 that may be closed by this pull request
@ALABSTM
Copy link
Collaborator

ALABSTM commented Feb 28, 2022

Hi @Defonceuse,

Thank you for this fix proposal. The point will be forwarded to our development teams. I will get back to you as soon as I have their feedback.

May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply.

With regards,

@ALABSTM ALABSTM moved this from To do to In progress in stm32cube-mcu-mw-dashboard Feb 28, 2022
@ALABSTM ALABSTM added enhancement New feature or request mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request labels Mar 4, 2022
@ncsc-ch-vuln-mgmt
Copy link

Hi @ALABSTM ,
At the Swiss NCSC (National Cybersecurity Center), we have been contacted by the original reporter in January 2022 to assign a CVE number for this issue.

We were unable to get a security contact at your company via other channels, please contact us at vulnerability@ncsc.ch so we can discuss this case.

@ALABSTM
Copy link
Collaborator

ALABSTM commented Apr 18, 2022

Hi @ncsc-ch-vuln-mgmt,

Your request has been forwarded internally. I will get back to you as soon as I have an answer.

With regards,

@Defonceuse
Copy link
Contributor Author

Hi @ALABSTM,

Sorry for the delay, I overlooked your question.

May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply.

I became aware of the problem when I connected a USB Mass Storage device that has more than USBH_MAX_NUM_ENDPOINTS and an exception handler was immediately triggered.

I did not review the code as it was treated as third party code. Had it been reviewed the vulnerability would likely become obvious when checking for the coding rule that array indexes must be range-checked before use in case it is received from an external/untrusted source.

Kind regards,

@Defonceuse
Copy link
Contributor Author

It was missed to merge this important vulnerability fix into recent releases. Please confirm to merge into the upcoming release.

@ncsc-ch-vuln-mgmt
Copy link

Hi,
As this vulnerability has been open and publicly documented for a while,and since we did not get feedback from the vendor we have issued a CVE at the finders request CVE-2021-42553 https://www.cve.org/CVERecord?id=CVE-2021-42553

@CHAMSTM
Copy link

CHAMSTM commented Mar 24, 2023

Release v3.5.1 addresses CVE-2021-42553

@ALABSTM ALABSTM merged commit f4332bd into STMicroelectronics:master Mar 29, 2023
1 check passed
stm32cube-mcu-mw-dashboard automation moved this from In progress to Done Mar 29, 2023
@ALABSTM
Copy link
Collaborator

ALABSTM commented Mar 29, 2023

Hi @Defonceuse,

Really sorry for this delay. Your pull-request has just been merged. Thank you very much for your contribution. Looking forward to receiving other ones.

With regards,

@ALABSTM
Copy link
Collaborator

ALABSTM commented Mar 29, 2023

Hi @ncsc-ch-vuln-mgmt,

Really sorry for this delay too. Thank you very much for the notification about the CVE identifier creation.

A SECURITY.md file (like this one) will be uploaded into this repository that will provide users with the contact info in case they have detected any vulnerability related to security aspects.

With regards,

@ALABSTM ALABSTM added this to the v3.5.1 milestone Apr 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Projects
Development

Successfully merging this pull request may close these issues.

Overrun when interface ep_ix >= USBH_MAX_NUM_ENDPOINTS
4 participants