CVE-2022-39293
Azure RTOS USBX Host PIMA vulnerable to read integer underflow with buffer overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. The case is, in [_ux_host_class_pima_read](https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_pima_read.c), there is data length from device response, returned in the very first packet, and read by [L165 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L165), as header_length. Then in [L178 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L178), there is a “if” branch, which check the expression of “(header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_length” where if header_length is smaller than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, calculation could overflow and then [L182 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L182) the calculation of data_length is also overflow, this way the later [while loop start from L192](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L192) can move data_pointer to unexpected address and cause write buffer overflow. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). The following can be used as a workaround: Add check of `header_length`: 1. It must be greater than `UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE`. 1. It should be greater or equal to the current returned data length (`transfer_request -> ux_transfer_request_actual_length`).
Azure RTOS USBX es una pila embebida de host, dispositivo y on-the-go (OTG) USB de alto rendimiento, que está totalmente integrada con Azure RTOS ThreadX. El caso es que, en [_ux_host_class_pima_read](https://github.com/azure-rtos/usbx/blob/master/common/usbx_host_classes/src/ux_host_class_pima_read.c), se presenta una longitud de datos de la respuesta del dispositivo, devuelta en el primer paquete, y leída por [L165 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L165), como header_length. Entonces en [L178 code](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L178), se presenta una rama "if", que comprueba la expresión de "(header_length - UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) ) data_length" donde si header_length es menor que UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, el cálculo podría desbordarse y entonces [L182 code](https://github. com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L182) el cálculo de data_length también es desbordado, de esta forma el posterior [inicio del bucle while desde L192](https://github.com/azure-rtos/usbx/blob/082fd9db09a3669eca3358f10b8837a5c1635c0b/common/usbx_host_classes/src/ux_host_class_pima_read.c#L192) puede mover data_pointer a una dirección no esperada y causar un desbordamiento del buffer de escritura. La corrección ha sido incluida en USBX versión [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Puede usarse lo siguiente como mitigación: Añadir la comprobación de "header_length": 1. Debe ser mayor que "UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE". 1. Debe ser mayor o igual que la longitud de datos devuelta actualmente ("transfer_request -) ux_transfer_request_actual_length")
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-10-13 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-26 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-191: Integer Underflow (Wrap or Wraparound)
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel | Release Notes |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/azure-rtos/usbx/security/advisories/GHSA-gg76-h537-xq48 | 2022-10-18 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Microsoft Search vendor "Microsoft" | Azure Rtos Usbx Search vendor "Microsoft" for product "Azure Rtos Usbx" | < 6.1.12 Search vendor "Microsoft" for product "Azure Rtos Usbx" and version " < 6.1.12" | - |
Affected
|