---
- branch: netbsd-8
  date: Thu Jan  2 09:43:56 UTC 2020
  files:
  - new: 1.45.8.1
    old: '1.45'
    path: src/sys/dev/usb/ucycom.c
    pathrev: src/sys/dev/usb/ucycom.c@1.45.8.1
    type: modified
  - new: 1.99.6.1
    old: '1.99'
    path: src/sys/dev/usb/uhid.c
    pathrev: src/sys/dev/usb/uhid.c@1.99.6.1
    type: modified
  - new: 1.13.8.1
    old: '1.13'
    path: src/sys/dev/usb/uthum.c
    pathrev: src/sys/dev/usb/uthum.c@1.13.8.1
    type: modified
  id: 20200102T094356Z.2d3f3a24116e95256c41d6d618efa06c3b033324
  log: "Pull up following revision(s) (requested by maxv in ticket #1480):\n\n\tsys/dev/usb/uthum.c:
    revision 1.18\n\tsys/dev/usb/ucycom.c: revision 1.49\n\tsys/dev/usb/uhid.c: revision
    1.111\n\nFix buffer overflows. sc_{o,f}len are controlled by the USB device. By\ncrafting
    the former the device can leak stack data. By crafting the latter\nthe device
    can overwrite the stack. The combination of the two means the\ndevice can ROP
    the kernel and obtain code execution (demonstrated with an\nactual exploit over
    vHCI).\n\nTruncate the lengths to the size of the buffers, and also drop sc_ilen\nsince
    it is unused. Patch tested with vHCI+kASan.\n\n -\n\nFix buffer overflows. Also
    add missing mutex_exit.\n\n -\n\nFix buffer overflows: validate the lengths at
    attach time, given that they\nare apparently not supposed to be variable. Drop
    sc_ilen since it is\nunused.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/dev/usb'
  unixtime: '1577958236'
  user: martin