[usb-device] Verify wTotalLength sanity

A malicious USB device could change the value it returns in wTotalLength
when the USB host reads configuration descriptors, because those
descriptors must be requested twice -- once to read only the header of
the descriptor to learn the length, and then once again to retrieve the
entire descriptor into an appropriately-sized buffer.

We already verified that the number of bytes we read back in the second
request matched the length specified in the first, but we did not verify
that the contents of the second request matched those of the first.
Failing to do so would leave a descriptor that claims to be longer than
the buffer allocated to it is, which if not handled very carefully could
lead to out-of-bounds reads.  Indeed, the rest of the code treats
wTotalLength as authoritative.

If a device attempts such trickery, we should reject the device in the
same way we'd reject it if it gave us a short read.

Additionally, we should reject wTotalLength values that are shorter than
the config descriptor header -- they can't possibly be valid.

Test: added new test for this case to usb-device-test that fails before
the change but passes after.

We're grateful to Quarkslab for reporting this vulnerability.

Fixed: 50619
Change-Id: I70caa5c1da47c305fc4bcd32c0d35484ca18a323
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/391569
Reviewed-by: Brian Bosak <bbosak@google.com>
Testability-Review: Drew Fisher <zarvox@google.com>
Commit-Queue: Drew Fisher <zarvox@google.com>
2 files changed
tree: 63c66545c52cb4f4f61bd3cee727a4a6f092a709
  1. .clang-format
  2. .clang-tidy
  3. .dir-locals.el
  4. .gitattributes
  5. .gitignore
  6. .gn
  7. .style.yapf
  8. AUTHORS
  9. BUILD.gn
  10. CODE_OF_CONDUCT.md
  11. CONTRIBUTING.md
  12. LICENSE
  13. OWNERS
  14. PATENTS
  15. README.md
  16. boards/
  17. build/
  18. bundles/
  19. docs/
  20. examples/
  21. garnet/
  22. products/
  23. rustfmt.toml
  24. scripts/
  25. sdk/
  26. src/
  27. third_party/
  28. tools/
  29. zircon/
README.md

Fuchsia

Pink + Purple == Fuchsia (a new operating system)

What is Fuchsia?

Fuchsia is a modular, capability-based operating system. Fuchsia runs on modern 64-bit Intel and ARM processors.

Fuchsia is an open source project with a code of conduct that we expect everyone who interacts with the project to respect.

How can I build and run Fuchsia?

See Getting Started.

Where can I learn more about Fuchsia?

See fuchsia.dev.