Impact
The case is, in _ux_host_class_pima_read, there is data length from device response, returned in the very first packet, and read by L165 code, as header_length. Then in L178 code, there is a “if” branch, which check the expression of “(header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_length” where if header_length is smaller than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, calculation could overflow and then L182 code the calculation of data_length is also overflow, this way the later while loop start from L192 can move data_pointer to unexpected address and cause write buffer overflow.
Patches
We analyzed this bug and determined that we needed to fix it. This fix has been included in USBX release 6.1.12
Workarounds
Add check of header_length:
- It must be greater than
UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE.
- It should be greater or equal to the current returned data length (
transfer_request -> ux_transfer_request_actual_length).
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Open an issue in azure-rtos/usbx
Post question on Microsoft Q&A
szymonh Analyst
Impact
The case is, in _ux_host_class_pima_read, there is data length from device response, returned in the very first packet, and read by L165 code, as header_length. Then in L178 code, there is a “if” branch, which check the expression of “(header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_length” where if header_length is smaller than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, calculation could overflow and then L182 code the calculation of data_length is also overflow, this way the later while loop start from L192 can move data_pointer to unexpected address and cause write buffer overflow.
Patches
We analyzed this bug and determined that we needed to fix it. This fix has been included in USBX release 6.1.12
Workarounds
Add check of
header_length:UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE.transfer_request -> ux_transfer_request_actual_length).References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Open an issue in azure-rtos/usbx
Post question on Microsoft Q&A