| Message ID | 20260615110825.230591-1-adongare@cisco.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [master,v2] libusb1: fix CVE-2026-23679 and CVE-2026-47104 | expand |
On Mon Jun 15, 2026 at 1:08 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Anil Dongare <adongare@cisco.com> > > - Pick the upstream patch [1] as mentioned in [2] and [3]. > included in v1.0.28. That patch in included in v1.0.30, not 1.0.28 (OE-core master is currently at v1.0.29). Also, this backport will be superseded by the v1.0.30 upgrade in: https://lore.kernel.org/all/20260614080307.4017177-21-richard.purdie@linuxfoundation.org/ (I'll take a look at the backport for stable branches though) Regards, > [1] https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231 > [2] https://security-tracker.debian.org/tracker/CVE-2026-23679. > [3] https://security-tracker.debian.org/tracker/CVE-2026-47104. > > Signed-off-by: Anil Dongare <adongare@cisco.com> > --- > .../CVE-2026-23679_CVE-2026-47104.patch | 89 +++++++++++++++++++ > meta/recipes-support/libusb/libusb1_1.0.29.bb | 1 + > 2 files changed, 90 insertions(+) > create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch > > diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch > new file mode 100644 > index 0000000000..f15f089f9f > --- /dev/null > +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch > @@ -0,0 +1,89 @@ > +From 04a9508e07582f553e9ea767f9e4a9b93839914b Mon Sep 17 00:00:00 2001 > +From: MarkLee131 <kaixuan.li@ntu.edu.sg> > +Date: Sat, 25 Apr 2026 18:33:17 +0800 > +Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed config > + descriptor handling > + > +Two issues reachable from a malformed config descriptor returned by an > +attached USB device, both surfaced by the same libFuzzer + ASan run. > + > +1) parse_interface() reads bNumEndpoints from the interface descriptor and > + increments usb_interface->num_altsetting before entering the inner loop > + that skips class/vendor specific descriptors ahead of the endpoint > + array. If that loop's bLength > size short-read branch fires, the > + function returns before the endpoint array is allocated, leaving the > + caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents > + endpoint as an array sized by bNumEndpoints, and the testlibusb and > + xusb examples both iterate it accordingly, so a NULL deref follows. > + Reset bNumEndpoints to 0 before returning so the invariant holds. > + > +2) The first-pass loop in parse_iad_array() compares header.bLength > + against the original size argument instead of the remaining bytes, > + so a single descriptor with bLength == size - 1 lets consumed reach > + size - 1 and the next iteration enters with only one byte of buffer > + left. The buf[1] read on the second line of the loop body lands one > + byte past the malloc allocation that backs the descriptor data. The > + sibling parsers parse_configuration() and parse_interface() in the > + same file already use the remaining-bytes form. Switch the IAD parser > + loop guard and bound check to match. > + > +Both code paths are reachable from public APIs (libusb_get_*_config_descriptor > +and libusb_get_*_interface_association_descriptors), with the malformed > +input supplied by the attached device. Minimal reproducers are 20 and > +9 bytes respectively. > + > +Fixes #1813 > + > +CVE: CVE-2026-23679 CVE-2026-47104 > +Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231] > + > +Backport Changes: > +- The upstream version_nano.h bump is omitted because this is a security > + backport to libusb 1.0.29, not a version upgrade. > + > +Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg> > +(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231) > +Signed-off-by: Anil Dongare <adongare@cisco.com> > +--- > + libusb/descriptor.c | 10 +++++++--- > + 1 file changed, 7 insertions(+), 3 deletions(-) > + > +diff --git a/libusb/descriptor.c b/libusb/descriptor.c > +index 870883a..7d4f118 100644 > +--- a/libusb/descriptor.c > ++++ b/libusb/descriptor.c > +@@ -241,6 +241,10 @@ static int parse_interface(libusb_context *ctx, > + usbi_warn(ctx, > + "short extra intf desc read %d/%u", > + size, header->bLength); > ++ /* Keep the invariant: bNumEndpoints > 0 implies > ++ * endpoint != NULL. The endpoint array isn't > ++ * allocated yet on this early return. */ > ++ ifp->bNumEndpoints = 0; > + return parsed; > + } > + > +@@ -1365,7 +1369,7 @@ static int parse_iad_array(struct libusb_context *ctx, > + > + /* First pass: Iterate through desc list, count number of IADs */ > + iad_array->length = 0; > +- while (consumed < size) { > ++ while (size - consumed >= DESC_HEADER_LENGTH) { > + header.bLength = buf[0]; > + header.bDescriptorType = buf[1]; > + if (header.bLength < DESC_HEADER_LENGTH) { > +@@ -1373,9 +1377,9 @@ static int parse_iad_array(struct libusb_context *ctx, > + header.bLength); > + return LIBUSB_ERROR_IO; > + } > +- else if (header.bLength > size) { > ++ else if (header.bLength > size - consumed) { > + usbi_warn(ctx, "short config descriptor read %d/%u", > +- size, header.bLength); > ++ size - consumed, header.bLength); > + return LIBUSB_ERROR_IO; > + } > + if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) > +-- > +2.51.0 > + > diff --git a/meta/recipes-support/libusb/libusb1_1.0.29.bb b/meta/recipes-support/libusb/libusb1_1.0.29.bb > index 856e32d1c6..d287ec171f 100644 > --- a/meta/recipes-support/libusb/libusb1_1.0.29.bb > +++ b/meta/recipes-support/libusb/libusb1_1.0.29.bb > @@ -14,6 +14,7 @@ BBCLASSEXTEND = "native nativesdk" > > SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \ > file://run-ptest \ > + file://CVE-2026-23679_CVE-2026-47104.patch \ > " > > GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases"
diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch new file mode 100644 index 0000000000..f15f089f9f --- /dev/null +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch @@ -0,0 +1,89 @@ +From 04a9508e07582f553e9ea767f9e4a9b93839914b Mon Sep 17 00:00:00 2001 +From: MarkLee131 <kaixuan.li@ntu.edu.sg> +Date: Sat, 25 Apr 2026 18:33:17 +0800 +Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed config + descriptor handling + +Two issues reachable from a malformed config descriptor returned by an +attached USB device, both surfaced by the same libFuzzer + ASan run. + +1) parse_interface() reads bNumEndpoints from the interface descriptor and + increments usb_interface->num_altsetting before entering the inner loop + that skips class/vendor specific descriptors ahead of the endpoint + array. If that loop's bLength > size short-read branch fires, the + function returns before the endpoint array is allocated, leaving the + caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents + endpoint as an array sized by bNumEndpoints, and the testlibusb and + xusb examples both iterate it accordingly, so a NULL deref follows. + Reset bNumEndpoints to 0 before returning so the invariant holds. + +2) The first-pass loop in parse_iad_array() compares header.bLength + against the original size argument instead of the remaining bytes, + so a single descriptor with bLength == size - 1 lets consumed reach + size - 1 and the next iteration enters with only one byte of buffer + left. The buf[1] read on the second line of the loop body lands one + byte past the malloc allocation that backs the descriptor data. The + sibling parsers parse_configuration() and parse_interface() in the + same file already use the remaining-bytes form. Switch the IAD parser + loop guard and bound check to match. + +Both code paths are reachable from public APIs (libusb_get_*_config_descriptor +and libusb_get_*_interface_association_descriptors), with the malformed +input supplied by the attached device. Minimal reproducers are 20 and +9 bytes respectively. + +Fixes #1813 + +CVE: CVE-2026-23679 CVE-2026-47104 +Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231] + +Backport Changes: +- The upstream version_nano.h bump is omitted because this is a security + backport to libusb 1.0.29, not a version upgrade. + +Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg> +(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + libusb/descriptor.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libusb/descriptor.c b/libusb/descriptor.c +index 870883a..7d4f118 100644 +--- a/libusb/descriptor.c ++++ b/libusb/descriptor.c +@@ -241,6 +241,10 @@ static int parse_interface(libusb_context *ctx, + usbi_warn(ctx, + "short extra intf desc read %d/%u", + size, header->bLength); ++ /* Keep the invariant: bNumEndpoints > 0 implies ++ * endpoint != NULL. The endpoint array isn't ++ * allocated yet on this early return. */ ++ ifp->bNumEndpoints = 0; + return parsed; + } + +@@ -1365,7 +1369,7 @@ static int parse_iad_array(struct libusb_context *ctx, + + /* First pass: Iterate through desc list, count number of IADs */ + iad_array->length = 0; +- while (consumed < size) { ++ while (size - consumed >= DESC_HEADER_LENGTH) { + header.bLength = buf[0]; + header.bDescriptorType = buf[1]; + if (header.bLength < DESC_HEADER_LENGTH) { +@@ -1373,9 +1377,9 @@ static int parse_iad_array(struct libusb_context *ctx, + header.bLength); + return LIBUSB_ERROR_IO; + } +- else if (header.bLength > size) { ++ else if (header.bLength > size - consumed) { + usbi_warn(ctx, "short config descriptor read %d/%u", +- size, header.bLength); ++ size - consumed, header.bLength); + return LIBUSB_ERROR_IO; + } + if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) +-- +2.51.0 + diff --git a/meta/recipes-support/libusb/libusb1_1.0.29.bb b/meta/recipes-support/libusb/libusb1_1.0.29.bb index 856e32d1c6..d287ec171f 100644 --- a/meta/recipes-support/libusb/libusb1_1.0.29.bb +++ b/meta/recipes-support/libusb/libusb1_1.0.29.bb @@ -14,6 +14,7 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2026-23679_CVE-2026-47104.patch \ " GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases"