[Bug] #11254
Description
RT-Thread Version
master (verified on commit b7686b8); also observed on v5.2.2 and v5.2.1
Hardware Type/Architectures
potentially any BSP enabling USB device audio
Develop Toolchain
Other
Describe the bug
Summary
A stack-based buffer overflow vulnerability exists in the CherryUSB device audio request handlers, caused by insufficient validation of a host-controlled request length field.
A malicious USB host can craft a malformed class-specific OUT control request with an attacker-controlled wLength value. This value is subsequently passed — without bounds checking — as the size argument to memcpy(), writing into fixed-size stack-allocated variables.
Vulnerability Details
Affected File
components/drivers/usb/cherryusb/class/audio/usbd_audio.c
Vulnerable Code Path
static int audio_class_endpoint_request_handler(
uint8_t busid,
struct usb_setup_packet *setup,
uint8_t **data,
uint32_t *len)
{
uint32_t sampling_freq = 0;
// ...
case AUDIO_REQUEST_SET_CUR:
memcpy((uint8_t *)&sampling_freq, *data, *len); // ← unchecked *len
usbd_audio_set_sampling_freq(busid, ep, sampling_freq);
}
sampling_freq is a 4-byte stack variable, while *len is derived directly from setup->wLength as supplied by the USB host. No upper-bound validation is performed before the copy.
Request Propagation Path
components/drivers/usb/cherryusb/core/usbd_core.c
The core logic accepts OUT control requests provided that wLength <= CONFIG_USBDEV_REQUEST_BUFFER_LEN, reads that many bytes into the EP0 request buffer, and then forwards the same length value to the class request handler unchanged.
Consequently, any malformed request with wLength > 4 can trigger an out-of-bounds write into the stack frame of audio_class_endpoint_request_handler().
Additional Vulnerable Sinks (Same File)
Two further unchecked copies were identified in usbd_audio.c:
| Sink | Variable | Type | Risk |
|---|---|---|---|
| memcpy(&volume, *data, *len) | volume | uint16_t (2 bytes) | OOB write if *len > 2 |
| memcpy(&sampling_freq, *data, setup->wLength) | sampling_freq (UAC2 path) | uint32_t (4 bytes) | OOB write if wLength > 4 |
Kindly let me know if you intend to request a CVE ID upon confirmation of the vulnerability.
Other additional context
No response