N**BSD-SA2023-001 Multiple buffer overflows in USB drivers
Issue #360
resolved
Comments (5)
-
reporter
-
reporter
- changed status to resolved
BUGFIX: Issue
#360- N**BSD-SA2023-001 Multiple buffer overflows in USB drivers see https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2023-001.txt.ascpatches are derived from:
-
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/ucycom.c.diff?r1=1.48&r2=1.49 Fix buffer overflows: validate the lengths at attach time, given that they are apparently not supposed to be variable. Drop sc_ilen since it is unused.
-
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/uhid.c.diff?r1=1.110&r2=1.111 Fix buffer overflows. Also add missing mutex_exit.
-
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/uthum.c.diff?r1=1.17&r2=1.18 Fix buffer overflows. sc_{o,f}len are controlled by the USB device. By crafting the former the device can leak stack data. By crafting the latter the device can overwrite the stack. The combination of the two means the device can ROP the kernel and obtain code execution (demonstrated with an actual exploit over vHCI).
Truncate the lengths to the size of the buffers, and also drop sc_ilen since it is unused. Patch tested with vHCI+kASan.
→ <<cset 63793cc465d0>>
-
reporter
- changed status to open
reopen, sys/dev/usb/uthum.c uses uimin() but N6 lacks it, use min() instead.
-
reporter
libkern.h’s min/max conflict with libz and everywhere, but renaming is too huge works, see TNF’s HEAD change https://mail-index.netbsd.org/source-changes/2018/09/03/msg098810.html
-
reporter
- changed status to resolved
fixed, <<cset:b531a988c7941fa615ae5f943efeb1653917c5ec>>
- Log in to comment
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/ucycom.c.diff?r1=1.48&r2=1.49
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/uhid.c.diff?r1=1.110&r2=1.111
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/usb/uthum.c.diff?r1=1.17&r2=1.18