Headline
CVE-2022-39293: Release Azure RTOS 6.1.12 · azure-rtos/usbx
Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. The case is, in _ux_host_class_pima_read, there is data length from device response, returned in the very first packet, and read by L165 code, as header_length. Then in L178 code, there is a “if” branch, which check the expression of “(header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_length” where if header_length is smaller than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, calculation could overflow and then L182 code the calculation of data_length is also overflow, this way the later while loop start from L192 can move data_pointer to unexpected address and cause write buffer overflow. The fix has been included in USBX release 6.1.12. The following can be used as a workaround: Add check of header_length
: 1. It must be greater than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE
. 1. It should be greater or equal to the current returned data length (transfer_request -> ux_transfer_request_actual_length
).
Fixed Pictbridge and PIMA issues, files modified:
ux_pictbridge.h
ux_pictbridge_dpsclient_object_info_get.c
ux_pictbridge_dpsclient_object_info_send.c
ux_pictbridge_dpshost_object_get.c
ux_pictbridge_dpshost_response_get.c
ux_pictbridge_dpshost_start.c
ux_device_class_pima_interrupt_thread.c
ux_device_class_pima_storage_info_get.c
ux_host_class_pima.h
ux_host_class_pima_device_info_get.c
ux_host_class_pima_object_handles_get.c
ux_host_class_pima_read.c
ux_host_class_pima_storage_ids_get.c
Improved host CDC-ECM MAC string validation, file modified:
ux_host_class_cdc_ecm_mac_address_get.c
Added standalone host/device HID interrupt OUT support, files modified:
ux_host_class_hid_report_set_run.c
ux_device_class_hid.h
ux_device_class_hid_activate.c
ux_device_class_hid_initialize.c
ux_device_class_hid_read.c
ux_device_class_hid_receiver_event_get.c
ux_device_class_hid_receiver_initialize.c
ux_device_class_hid_read_run.c
ux_device_class_hid_receiver_tasks_run.c
Updated dCSWDataResidue while handling device storage inquiry command, file modified:
ux_device_class_storage_inquiry.c
Added USB audio class (UAC) multiple sampling frequencies support, files modified:
ux_device_class_audio20.h
ux_device_class_audio20_control_process.c
ux_device_class_audio10.h
ux_device_class_audio10_control_process.c
Added device audio class (UAC) optional interrupt support, files modified/added:
ux_user_sample.h
ux_class_audio10.h
ux_class_audio20.h
ux_device_class_audio.h
ux_device_class_audio_activate.c
ux_device_class_audio_initialize.c
ux_device_class_audio_unitialize.c
ux_device_class_audio_interrupt_send.c
ux_device_class_audio_interrupt_thread_entry.c
Added host audio class (UAC) optional interrupt endpoint support, files modified/added:
ux_user_sample.h
ux_host_class_audio.h
ux_host_class_audio_activate.c
ux_host_class_audio_deactivate.c
ux_host_class_audio_device_type_get.c
ux_host_class_audio_interrupt_notification.c
ux_host_class_audio_interrupt_start.c
In device DFU, validated request type for DNLOAD request in all states,
and checked length for UPLOAD request in _UPLOAD_IDLE state, file modified:
ux_device_class_dfu_control_request.c
Added device CDC ACM and printer write auto ZLP option, files modified:
ux_user_sample.h
ux_device_class_cdc_acm.h
ux_device_class_printer.h
ux_device_class_cdc_acm_bulkin_thread.c
ux_device_class_cdc_acm_write.c
ux_device_class_cdc_acm_write_run.c
ux_device_class_printer_write.c
Fixed addressing issues in host controller driver, files modified:
ux_hcd_ohci_asynchronous_endpoint_create.c
ux_hcd_ohci_done_queue_process.c
Added standalone host hub support, files modified/added:
ux_host_stack.h
ux_host_stack_device_resources_free.c
ux_host_stack_new_device_get.c
ux_host_stack_tasks_run.c
ux_host_class_hub.h
ux_host_class_hub_activate.c
ux_host_class_hub_change_detect.c
ux_host_class_hub_deactivate.c
ux_host_class_hub_descriptor_get.c
ux_host_class_hub_entry.c
ux_host_class_hub_feature.c
ux_host_class_hub_interrupt_endpoint_start.c
ux_host_class_hub_port_change_connection_process.c
ux_host_class_hub_status_get.c
ux_host_class_hub_transfer_request_completed.c
ux_host_class_hub_tasks_run.c
Added definitions for device audio 2.0 clock multiplier support, file modified:
ux_device_class_audio20.h
Added host audio feedback and 2.0 protocol support, files modified/added:
ux_host_class_audio.h
ux_host_class_audio_activate.c
ux_host_class_audio_alternate_setting_locate.c
ux_host_class_audio_control_get.c
ux_host_class_audio_control_value_get.c
ux_host_class_audio_control_value_set.c
ux_host_class_audio_deactivate.c
ux_host_class_audio_descriptor_get.c
ux_host_class_audio_device_controls_list_get.c
ux_host_class_audio_device_type_get.c
ux_host_class_audio_endpoints_get.c
ux_host_class_audio_entry.c
ux_host_class_audio_read.c
ux_host_class_audio_streaming_sampling_get.c
ux_host_class_audio_streaming_sampling_set.c
ux_host_class_audio_transfer_request.c
ux_host_class_audio_write.c
ux_class_audio10.h
ux_class_audio20.h
ux_host_class_audio_control_request.c
ux_host_class_audio_descriptors_parse.c
ux_host_class_audio_entity_control_get.c
ux_host_class_audio_entity_control_value_get.c
ux_host_class_audio_entity_control_value_set.c
ux_host_class_audio_feedback_get.c
ux_host_class_audio_feedback_set.c
ux_host_class_audio_feedback_transfer_completed.c
ux_host_class_audio_raw_sampling_parse.c
ux_host_class_audio_stop.c
Improved UVC transfer abort/restart, files modified:
ux_host_stack_endpoint_instance_create.c
ux_host_class_video_ioctl.c
ux_host_class_video_transfer_buffer_add.c
ux_host_class_video_transfer_buffers_add.c
ux_host_class_video_transfer_request.c
ux_host_class_video_transfer_request_callback.c
ux_hcd_ehci_hsisochronous_tds_process.c
ux_hcd_ehci_request_isochronous_transfer.c
ux_hcd_ehci_transfer_abort.c
Fixed ipv6 support issues, files modified:
ux_network_driver.c
ux_network_driver.h
Fixed OHCI PRSC (Port Reset) issue, files modified:
ux_hcd_ohci_initialize.c
ux_hcd_ohci_interrupt_handler.c
ux_hcd_ohci_port_reset.c
ux_hcd_ohci.h
ux_utility.h
Various files were modified to improve internal logic, comments and variable namings.