Dear OpenBSD team, I would like to bring your attention to the following bug report from FreeBSD, where I have ported and imported the umb(4) driver recently: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284920
The bug report mentions: > When processing a message produced by a USB device, umb_decap() > says: > > ptroff = UGETDW(hdr32->dwNdpIndex); > ...; > ptr16 = (struct ncm_pointer16 *)(buf + ptroff); > psig = UGETDW(ptr16->dwSignature); > > But ptroff can be any 32-bit value, so the a broken or malicious USB > device can cause ptr16 to point outside the message buffer. And: > And later, umb_decap() pulls dlen and doff out of a message sent by > the USB device, and uses doff to form a pointer without a sanity > check: > > dgram32 = (struct ncm_pointer32_dgram *) > (buf + ptroff + dgentryoff); > ...; > dlen = UGETDW(dgram32->dwDatagramLen); > doff = UGETDW(dgram32->dwDatagramIndex); > ...; > dp = buf + doff; > ...; > m = m_devget(dp, dlen, 0, ifp, NULL); > > A malicious USB device could cause the wrong memory to be copied, or a > page fault. From my reading of the current version of the umb(4) driver in OpenBSD, ISTM that you are vulnerable to this issue as well. Thoughts? HTH, -- khorben
signature.asc
Description: Message signed with OpenPGP
