Infinite Loop in STM32 SCSI Driver

[maxeisele]

In function SCSI_ReadCapacity16 the variable idx is of type int8_t. It gets compared against the 32-Bit variable hmsc->bot_data_length that is controllable via the USB Request from outside.
If the value of that variable is greater than 255, the loop in line 383 can never meet its exit condition, resulting in an infinite loop.

The bug can be triggered by sending following command via an USB Bulk Write to the device running the affected STM32 USB Stack:
b"\x55\x53\x42\x43\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x9E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1F\x00\x00\x00"

For fixing, I suggest to change the type from idx to uint32_t.

In case you confirm this bug - could you assign a CVE number for it? I found this bug with a newly developed embedded fuzzing method that is yet to be released and CVE numbers give higher acceptance chances for scientific papers in the security testing community.

STM32CubeL4/Middlewares/ST/STM32_USB_Device_Library/Class/MSC/Src/usbd_msc_scsi.c

Line 383 in c5e83f3

for (idx = 0U; idx < hmsc->bot_data_length; idx++)

[PierreLeCorre]

Thanks for reporting this issue. It is now managed by ST PSIRT team.

[ALABSTM]

ST Internal Reference: 131746

[ALABSTM]

Hi @maxeisele,

Issue fixed in the frame of version 1.18.0, as you can see below. Thank you again for having reported.

STM32CubeL4/Middlewares/ST/STM32_USB_Device_Library/Class/MSC/Src/usbd_msc_scsi.c

Line 364 in 93f2cde

uint32_t idx;

With regards,