Headline
CVE-2021-42553: Fix buffer overflow by Defonceuse · Pull Request #4 · STMicroelectronics/stm32_mw_usb_host
A buffer overflow vulnerability in stm32_mw_usb_host of STMicroelectronics allows an attacker to execute arbitrary code when the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS. The library is typically integrated when using a RTOS such as FreeRTOS on STM32 MCUs.
In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.
IMPORTANT INFORMATION****Contributor License Agreement (CLA)
- The Pull Request feature will be considered by STMicroelectronics after the signature of a Contributor License Agreement (CLA) by the submitter.
- If you did not sign such agreement, please follow the steps mentioned in the CONTRIBUTING.md file.
In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.
ALABSTM linked an issue
Feb 28, 2022
that may be closed by this pull request
Copy link
Collaborator
****ALABSTM** commented Feb 28, 2022**
Hi @Defonceuse,
Thank you for this fix proposal. The point will be forwarded to our development teams. I will get back to you as soon as I have their feedback.
May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply.
With regards,
ALABSTM added enhancement
New feature or request
mw
Middleware-related issue or pull-request.
usb
USB-related (host or device) issue or pull-request
labels
Mar 4, 2022
Hi @ALABSTM ,
At the Swiss NCSC (National Cybersecurity Center), we have been contacted by the original reporter in January 2022 to assign a CVE number for this issue.
We were unable to get a security contact at your company via other channels, please contact us at [email protected] so we can discuss this case.
Copy link
Collaborator
****ALABSTM** commented Apr 18, 2022**
Hi @ncsc-ch-vuln-mgmt,
Your request has been forwarded internally. I will get back to you as soon as I have an answer.
With regards,
Hi @ALABSTM,
Sorry for the delay, I overlooked your question.
May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply.
I became aware of the problem when I connected a USB Mass Storage device that has more than USBH_MAX_NUM_ENDPOINTS and an exception handler was immediately triggered.
I did not review the code as it was treated as third party code. Had it been reviewed the vulnerability would likely become obvious when checking for the coding rule that array indexes must be range-checked before use in case it is received from an external/untrusted source.
Kind regards,
It was missed to merge this important vulnerability fix into recent releases. Please confirm to merge into the upcoming release.