deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2023-001: Multiple buffer overflows in USB drivers

Hash: SHA256

		 NetBSD Security Advisory 2023-001

Topic:		Multiple buffer overflows in USB drivers

Version:	NetBSD-current:		affected up to 9.99.32
		NetBSD 10.0_BETA:	not affected
		NetBSD 9.3:		not affected
		NetBSD 9.2:		not affected
		NetBSD 9.1:		not affected
		NetBSD 9.0:		not affected
		NetBSD 8.2:		not affected
		NetBSD 8.1:		affected
		NetBSD 8.0:		affected

Severity:	A malicious USB device can execute code in the kernel

Fixed:		NetBSD-current:		2020-01-01
		NetBSD-10 branch:	N/A
		NetBSD-9 branch:	N/A
		NetBSD-8 branch:	2020-01-02

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.


A malicious USB device can execute code in the kernel.

Technical Details

Multiple buffer overflows in src/sys/dev/usb/uthum.c were found:
sc_{o,f}len are controlled by the USB device. By crafting the former, the
device can leak stack data. By crafting the latter, the device can
overwrite the stack. The combination of the two means the device can ROP
the kernel and obtain code execution (demonstrated with an actual exploit
over vHCI). Additionally, the lengths were not truncated to the size of
the buffers.

Multiple buffer overflows in src/sys/dev/usb/uhid.c were found: In
several places, there was no check to see if size + extra fits into the

src/sys/dev/usb/ucycom.c: The lengths at attach time were not validated.

Solutions and Workarounds

Update the kernel to a fixed version and reboot.

There are pre-built binaries for all architectures and NetBSD versions at:

For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at:

Alternatively to build from source for all NetBSD versions, you
need to obtain fixed kernel sources, rebuild and install the new
kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository. The
following instructions briefly summarize how to upgrade your kernel.
In these instructions, replace:

	ARCH	 with your architecture (from uname -m), and
	KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P sys/dev/usb
	# ./ kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

Thanks To

Maxime Villard for finding and fixing the vulnerability.

Revision History

	2023-06-28	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at

Copyright 2023, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2023-001.txt,v 1.1 2023/06/28 15:28:57 christos Exp $