[PATCH] usb: gadget: dfu: Fix the unchecked length field

Sultan Khan sultanqasim at gmail.com
Tue Nov 29 20:49:09 CET 2022


While I haven't yet gotten around to trying DFU with this patch applied, my
guess as to the issue would be the checks of the form "if (ctrl->
bRequestType == USB_DIR_OUT)" or "if (ctrl->bRequestType == USB_DIR_IN)".
The bRequestType field contains many flag bits other than the direction
bit. The checks should just check that the USB_DIR_IN bit (0x80) is set or
not set, rather than checking if the entire ctrl->bRequestType field equals
some value.

Sultan

On Mon, Nov 28, 2022 at 7:48 AM Marek Vasut <marex at denx.de> wrote:

> On 11/21/22 18:34, Tom Rini wrote:
> > On Thu, Nov 03, 2022 at 09:37:48AM +0530, Venkatesh Yadav Abbarapu wrote:
> >
> >> DFU implementation does not bound the length field in USB
> >> DFU download setup packets, and it does not verify that
> >> the transfer direction. Fixing the length and transfer
> >> direction.
> >>
> >> CVE-2022-2347
> >>
> >> Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu at amd.com>
> >> Reviewed-by: Marek Vasut <marex at denx.de>
> >
> > Applied to u-boot/master, thanks!
>
> So this breaks DFU support in SPL as I just found out.
> Any idea why ?
>


More information about the U-Boot mailing list