PierreLeCorre
commented
2 years ago Thanks for reporting this issue. It is now managed by ST PSIRT team.
Closed maxeisele closed 7 months ago
PierreLeCorre
commented
2 years ago Thanks for reporting this issue. It is now managed by ST PSIRT team.
ALABSTM
commented
7 months ago ST Internal Reference: 131746
ALABSTM
commented
7 months ago Hi @maxeisele,
Issue fixed in the frame of version 1.18.0, as you can see below. Thank you again for having reported.
With regards,
In function
SCSI_ReadCapacity16the variableidxis of type int8_t. It gets compared against the 32-Bit variablehmsc->bot_data_lengththat is controllable via the USB Request from outside. If the value of that variable is greater than 255, the loop in line 383 can never meet its exit condition, resulting in an infinite loop.The bug can be triggered by sending following command via an USB Bulk Write to the device running the affected STM32 USB Stack:
b"\x55\x53\x42\x43\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x9E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1F\x00\x00\x00"For fixing, I suggest to change the type from
idxto uint32_t.In case you confirm this bug - could you assign a CVE number for it? I found this bug with a newly developed embedded fuzzing method that is yet to be released and CVE numbers give higher acceptance chances for scientific papers in the security testing community.
https://github.com/STMicroelectronics/STM32CubeL4/blob/c5e83f31696c3da4fb374224471afd08d9d457b3/Middlewares/ST/STM32_USB_Device_Library/Class/MSC/Src/usbd_msc_scsi.c#L383