crosvm

mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2025-02-06 02:25:23 +00:00

History

Daniel Verkamp 9c3ebfb410 usb_util: validate bLength in next_descriptor When skipping descriptors in the next_descriptor() helper function, we advance the offset in the input bytestream by adding the user-controlled bLength field. If bLength was 0, next_descriptor() would get stuck in a loop and never return. Add a check for this case as well as a unit test based on the failing fuzzer input. BUG=b:198320695 TEST=cargo test -p usb_util TEST=cros_fuzz Change-Id: Iec130a33b28f05219907265b7acafa9ee3791c1a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3155363 Reviewed-by: Dennis Kempin <denniskempin@google.com> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>	2021-09-15 00:16:57 +00:00
..
src	usb_util: validate bLength in next_descriptor	2021-09-15 00:16:57 +00:00
Cargo.toml	Add "base" crate and transition crosvm usages to it from sys_util	2020-08-06 18:19:44 +00:00

Daniel Verkamp 9c3ebfb410 usb_util: validate bLength in next_descriptor

When skipping descriptors in the next_descriptor() helper function, we
advance the offset in the input bytestream by adding the user-controlled
bLength field.  If bLength was 0, next_descriptor() would get stuck in a
loop and never return.

Add a check for this case as well as a unit test based on the failing
fuzzer input.

BUG=b:198320695
TEST=cargo test -p usb_util
TEST=cros_fuzz

Change-Id: Iec130a33b28f05219907265b7acafa9ee3791c1a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/3155363
Reviewed-by: Dennis Kempin <denniskempin@google.com>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>

2021-09-15 00:16:57 +00:00

src

usb_util: validate bLength in next_descriptor

2021-09-15 00:16:57 +00:00

Cargo.toml

Add "base" crate and transition crosvm usages to it from sys_util

2020-08-06 18:19:44 +00:00