mirror of
https://git.yoctoproject.org/poky
synced 2026-07-02 17:13:39 +02:00
libusb1: fix CVE-2026-23679 and CVE-2026-47104
- Pick the upstream patch [1] as mentioned in [2] and [3]. - To successfully apply the fixed commit, apply the dependent commits [4], which are included in v1.0.28. [1]bc0886173e[2] https://security-tracker.debian.org/tracker/CVE-2026-23679. [3] https://security-tracker.debian.org/tracker/CVE-2026-47104. [4]016a0de33a(From OE-Core rev: c4d5735228e83c3a9afce48a39707b2ff5460fde) Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
9504d658b8
commit
d144337355
@@ -0,0 +1,46 @@
|
||||
From 2c1bb758e3b61355f50df61b6eb474d90bec2fab Mon Sep 17 00:00:00 2001
|
||||
From: Sean McBride <sean@rogue-research.com>
|
||||
Date: Sat, 3 Feb 2024 22:32:52 -0500
|
||||
Subject: [PATCH] descriptor: Fix potential offsetting of pointer by too
|
||||
much
|
||||
|
||||
This was checking that `size` is at least `LIBUSB_DT_CONFIG_SIZE` (9)
|
||||
bytes long, but then increments the pointer with `buf +=
|
||||
header.bLength`. That could end up pointing past of the end of the
|
||||
buffer. There is a subsequent check that would prevent dereferencing it,
|
||||
but it's still undefined behaviour to even create such a pointer.
|
||||
|
||||
Add a check with a similar pattern as elsewhere in this file.
|
||||
|
||||
CVE: CVE-2026-23679 CVE-2026-47104
|
||||
Upstream-Status: Backport [https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68]
|
||||
|
||||
Backport Changes:
|
||||
- The upstream version_nano.h bump is omitted because this is a security
|
||||
backport to libusb 1.0.27, not a version upgrade.
|
||||
|
||||
(cherry picked from commit 016a0de33ac94b19c7772d6c20fbea7fec23bf68)
|
||||
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
||||
---
|
||||
libusb/descriptor.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/libusb/descriptor.c b/libusb/descriptor.c
|
||||
index 4623ad1..4862c69 100644
|
||||
--- a/libusb/descriptor.c
|
||||
+++ b/libusb/descriptor.c
|
||||
@@ -1233,6 +1233,11 @@ static int parse_iad_array(struct libusb_context *ctx,
|
||||
header.bLength);
|
||||
return LIBUSB_ERROR_IO;
|
||||
}
|
||||
+ else if (header.bLength > size) {
|
||||
+ usbi_warn(ctx, "short config descriptor read %d/%u",
|
||||
+ size, header.bLength);
|
||||
+ return LIBUSB_ERROR_IO;
|
||||
+ }
|
||||
if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
|
||||
iad_array->length++;
|
||||
buf += header.bLength;
|
||||
--
|
||||
2.43.7
|
||||
|
||||
@@ -0,0 +1,88 @@
|
||||
From 0735213e5118d5c9c732b7c891446b35e0d6b8d5 Mon Sep 17 00:00:00 2001
|
||||
From: MarkLee131 <kaixuan.li@ntu.edu.sg>
|
||||
Date: Sat, 25 Apr 2026 18:33:17 +0800
|
||||
Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed
|
||||
config descriptor handling
|
||||
|
||||
Two issues reachable from a malformed config descriptor returned by an
|
||||
attached USB device, both surfaced by the same libFuzzer + ASan run.
|
||||
|
||||
1) parse_interface() reads bNumEndpoints from the interface descriptor and
|
||||
increments usb_interface->num_altsetting before entering the inner loop
|
||||
that skips class/vendor specific descriptors ahead of the endpoint
|
||||
array. If that loop's bLength > size short-read branch fires, the
|
||||
function returns before the endpoint array is allocated, leaving the
|
||||
caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents
|
||||
endpoint as an array sized by bNumEndpoints, and the testlibusb and
|
||||
xusb examples both iterate it accordingly, so a NULL deref follows.
|
||||
Reset bNumEndpoints to 0 before returning so the invariant holds.
|
||||
|
||||
2) The first-pass loop in parse_iad_array() compares header.bLength
|
||||
against the original size argument instead of the remaining bytes,
|
||||
so a single descriptor with bLength == size - 1 lets consumed reach
|
||||
size - 1 and the next iteration enters with only one byte of buffer
|
||||
left. The buf[1] read on the second line of the loop body lands one
|
||||
byte past the malloc allocation that backs the descriptor data. The
|
||||
sibling parsers parse_configuration() and parse_interface() in the
|
||||
same file already use the remaining-bytes form. Switch the IAD parser
|
||||
loop guard and bound check to match.
|
||||
|
||||
Both code paths are reachable from public APIs (libusb_get_*_config_descriptor
|
||||
and libusb_get_*_interface_association_descriptors), with the malformed
|
||||
input supplied by the attached device. Minimal reproducers are 20 and
|
||||
9 bytes respectively.
|
||||
|
||||
Fixes #1813
|
||||
|
||||
CVE: CVE-2026-23679 CVE-2026-47104
|
||||
Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231]
|
||||
|
||||
Backport Changes:
|
||||
- The upstream version_nano.h bump is omitted because this is a security
|
||||
backport to libusb 1.0.27, not a version upgrade.
|
||||
|
||||
Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg>
|
||||
(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231)
|
||||
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
||||
---
|
||||
libusb/descriptor.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libusb/descriptor.c b/libusb/descriptor.c
|
||||
index 4862c69..97143bb 100644
|
||||
--- a/libusb/descriptor.c
|
||||
+++ b/libusb/descriptor.c
|
||||
@@ -260,6 +260,10 @@ static int parse_interface(libusb_context *ctx,
|
||||
usbi_warn(ctx,
|
||||
"short extra intf desc read %d/%u",
|
||||
size, header->bLength);
|
||||
+ /* Keep the invariant: bNumEndpoints > 0 implies
|
||||
+ * endpoint != NULL. The endpoint array isn't
|
||||
+ * allocated yet on this early return. */
|
||||
+ ifp->bNumEndpoints = 0;
|
||||
return parsed;
|
||||
}
|
||||
|
||||
@@ -1226,16 +1230,16 @@ static int parse_iad_array(struct libusb_context *ctx,
|
||||
|
||||
// First pass: Iterate through desc list, count number of IADs
|
||||
iad_array->length = 0;
|
||||
- while (consumed < size) {
|
||||
+ while (size - consumed >= DESC_HEADER_LENGTH) {
|
||||
parse_descriptor(buf, "bb", &header);
|
||||
if (header.bLength < 2) {
|
||||
usbi_err(ctx, "invalid descriptor bLength %d",
|
||||
header.bLength);
|
||||
return LIBUSB_ERROR_IO;
|
||||
}
|
||||
- else if (header.bLength > size) {
|
||||
+ else if (header.bLength > size - consumed) {
|
||||
usbi_warn(ctx, "short config descriptor read %d/%u",
|
||||
- size, header.bLength);
|
||||
+ size - consumed, header.bLength);
|
||||
return LIBUSB_ERROR_IO;
|
||||
}
|
||||
if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
|
||||
--
|
||||
2.43.7
|
||||
|
||||
@@ -14,6 +14,8 @@ BBCLASSEXTEND = "native nativesdk"
|
||||
|
||||
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \
|
||||
file://run-ptest \
|
||||
file://CVE-2026-23679_CVE-2026-47104-dependent.patch \
|
||||
file://CVE-2026-23679_CVE-2026-47104.patch \
|
||||
"
|
||||
|
||||
GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases"
|
||||
|
||||
Reference in New Issue
Block a user