[Bug] A potential bug may exist in usb_lld_init_endpoint in ChibiOS in melgeek firmware

qmk / qmk_firmware

Open-source keyboard firmware for Atmel AVR and Arm USB families

https://qmk.fm

GNU General Public License v2.0

17.97k stars 38.64k forks source link

[Bug] A potential bug may exist in usb_lld_init_endpoint in ChibiOS in melgeek firmware #22514

Open wjqsec opened 9 months ago

wjqsec commented 9 months ago

Describe the Bug

In function usb_lld_init_endpoint, it reads a device register value and as an offset to fetch data. However, this value is not checked thus result in arbitrary memory read. This is a problem caused by ChibiOS. I don't know how to fix it.

Keyboard Used

melgeek

Link to product page (if applicable)

No response

Operating System

No response

qmk doctor Output

No response

Is AutoHotKey / Karabiner installed

[ ] AutoHotKey (Windows)
[ ] Karabiner (macOS)

Other keyboard-related software installed

No response

Additional Context

No response

wjqsec commented 9 months ago

And another one in the interrupt handler VectorB0(). The function pointer is controlled by a device register whose memory address is 0x40000024.

sigprof commented 9 months ago

Your report is really vague:

melgeek is not a single specific keyboard (it's a vendor folder which has lots of keyboards inside, and those keyboards even use different MCUs);
usb_lld_init_endpoint() has multiple implementations (there are many LLDs for various MCUs); not sure which one do you mean;
can you point to the specific line in the source which has the problematic access?

Also 0x40000024 is apparently the address of the TIM2->CNT register on most STM32 MCUs; not sure why any code would use its value in pointer calculations directly.