mirror of
https://git.yoctoproject.org/poky
synced 2026-04-29 09:32:11 +02:00
83e5ad004a
Backport appropriate patches to fix CVE-2022-2347 and CVE-2022-30790. (From OE-Core rev: 7a5220a4877cd4d3766728e8a3525c157b6167fb) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
67 lines
2.3 KiB
Diff
67 lines
2.3 KiB
Diff
From 0f465b3e81baa095b62a154a739c5378285526db Mon Sep 17 00:00:00 2001
|
|
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
|
|
Date: Wed, 30 Nov 2022 09:29:16 +0100
|
|
Subject: [PATCH 2/2] usb: gadget: dfu: Fix check of transfer direction
|
|
|
|
Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
|
|
blocks DFU usb requests.
|
|
The verification of the transfer direction was done by an equality
|
|
but it is a bit mask.
|
|
|
|
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
|
|
Reviewed-by: Fabio Estevam <festevam@denx.de>
|
|
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
|
|
Reviewed-by: Marek Vasut <marex@denx.de>
|
|
Tested-by: Marek Vasut <marex@denx.de>
|
|
|
|
CVE: CVE-2022-2347
|
|
Upstream-Status: Backport [14dc0ab138988a8e45ffa086444ec8db48b3f103]
|
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
|
|
---
|
|
drivers/usb/gadget/f_dfu.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
|
|
index 33ef62f8ba..44877df4ec 100644
|
|
--- a/drivers/usb/gadget/f_dfu.c
|
|
+++ b/drivers/usb/gadget/f_dfu.c
|
|
@@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
|
|
|
|
switch (ctrl->bRequest) {
|
|
case USB_REQ_DFU_DNLOAD:
|
|
- if (ctrl->bRequestType == USB_DIR_OUT) {
|
|
+ if (!(ctrl->bRequestType & USB_DIR_IN)) {
|
|
if (len == 0) {
|
|
f_dfu->dfu_state = DFU_STATE_dfuERROR;
|
|
value = RET_STALL;
|
|
@@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
|
|
}
|
|
break;
|
|
case USB_REQ_DFU_UPLOAD:
|
|
- if (ctrl->bRequestType == USB_DIR_IN) {
|
|
+ if (ctrl->bRequestType & USB_DIR_IN) {
|
|
f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
|
|
f_dfu->blk_seq_num = 0;
|
|
value = handle_upload(req, len);
|
|
@@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
|
|
|
|
switch (ctrl->bRequest) {
|
|
case USB_REQ_DFU_DNLOAD:
|
|
- if (ctrl->bRequestType == USB_DIR_OUT) {
|
|
+ if (!(ctrl->bRequestType & USB_DIR_IN)) {
|
|
f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
|
|
f_dfu->blk_seq_num = w_value;
|
|
value = handle_dnload(gadget, len);
|
|
@@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
|
|
|
|
switch (ctrl->bRequest) {
|
|
case USB_REQ_DFU_UPLOAD:
|
|
- if (ctrl->bRequestType == USB_DIR_IN) {
|
|
+ if (ctrl->bRequestType & USB_DIR_IN) {
|
|
/* state transition if less data then requested */
|
|
f_dfu->blk_seq_num = w_value;
|
|
value = handle_upload(req, len);
|
|
--
|
|
2.32.0
|
|
|