CVE-2022-29223— Microsoft Azure RTOS USBX 安全漏洞

Buffer overflow on HUB descriptor in Azure RTOS USBX

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by 255 - `UX_MAX_TT` items. The USB host stack needs to validate the number of ports reported by the hub, and if the value is larger than UX_MAX_TT, USB stack needs to reject the request. This fix has been included in USBX release 6.1.10.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)

Microsoft Azure RTOS USBX 安全漏洞

Microsoft Azure RTOS USBX是美国微软（Microsoft）开源的一个高性能 USB 主机、设备和移动 （OTG） 嵌入式堆栈，与 Azure RTOS ThreadX 完全集成。 Microsoft Azure RTOS USBX 6.1.10之前版本存在安全漏洞。攻击者利用该漏洞通过向 Azure RTOS USBX 主机堆栈提供一个 HUB 描述符并将 bNbPorts 设置为大于8的 UX_MAX_TT 值来导致缓冲区溢出。

N/A

N/A