Impact
An attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with bNbPorts set to a value greater than UX_MAX_TT which defaults to 8. For a bNbPorts value of 255 the implementation of ux_host_class_hub_descriptor_get function will modify the contents of hub -> ux_host_class_hub_device -> ux_device_hub_tt array violating the end boundary by 255 - UX_MAX_TT items.
Patches
We analyzed this bug and determined that we needed to fix it. As pointed out in the original report, our USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.
Workarounds
Upgrade to v6.1.10 or above.
For more information
If you have any questions or comments about this advisory:
szymonh Analyst
Impact
An attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with
bNbPortsset to a value greater thanUX_MAX_TTwhich defaults to 8. For abNbPortsvalue of 255 the implementation ofux_host_class_hub_descriptor_getfunction will modify the contents ofhub -> ux_host_class_hub_device -> ux_device_hub_ttarray violating the end boundary by 255 -UX_MAX_TTitems.Patches
We analyzed this bug and determined that we needed to fix it. As pointed out in the original report, our USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.
Workarounds
Upgrade to v6.1.10 or above.
For more information
If you have any questions or comments about this advisory: