Re: [OE-core] [master] [PATCH v2] libusb1: fix CVE-2026-23679 and CVE-2026-47104

[Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org]

Hi @Yoann Congal<mailto:yoann.con...@smile.fr>,
Thanks for the clarification. I understand that the fix is available in v1.0.30 
and will be covered by the planned upgrade, so this backport is not needed for 
OE-Core master.
Thanks for reviewing it and for checking the stable branch backports.
Regards,
Anil Dongare
________________________________
From: Yoann Congal <yoann.con...@smile.fr>
Sent: Monday, June 15, 2026 4:58 AM
To: Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) 
<adong...@cisco.com>; openembedded-core@lists.openembedded.org 
<openembedded-core@lists.openembedded.org>
Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>; 
t...@cisco.com <t...@cisco.com>
Subject: Re: [OE-core] [master] [PATCH v2] libusb1: fix CVE-2026-23679 and 
CVE-2026-47104

On Mon Jun 15, 2026 at 1:08 PM CEST, Anil Dongare -X (adongare - E INFOCHIPS 
PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Anil Dongare <adong...@cisco.com>
>
> - Pick the upstream patch [1] as mentioned in [2] and [3].
>   included in v1.0.28.

That patch in included in v1.0.30, not 1.0.28 (OE-core master is
currently at v1.0.29).

Also, this backport will be superseded by the v1.0.30 upgrade in:
https://lore.kernel.org/all/20260614080307.4017177-21-richard.pur...@linuxfoundation.org/

(I'll take a look at the backport for stable branches though)

Regards,


> [1] 
> https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231
> [2] https://security-tracker.debian.org/tracker/CVE-2026-23679.
> [3] https://security-tracker.debian.org/tracker/CVE-2026-47104.
>
> Signed-off-by: Anil Dongare <adong...@cisco.com>
> ---
>  .../CVE-2026-23679_CVE-2026-47104.patch       | 89 +++++++++++++++++++
>  meta/recipes-support/libusb/libusb1_1.0.29.bb |  1 +
>  2 files changed, 90 insertions(+)
>  create mode 100644 
> meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
>
> diff --git 
> a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch 
> b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
> new file mode 100644
> index 0000000000..f15f089f9f
> --- /dev/null
> +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
> @@ -0,0 +1,89 @@
> +From 04a9508e07582f553e9ea767f9e4a9b93839914b Mon Sep 17 00:00:00 2001
> +From: MarkLee131 <kaixuan...@ntu.edu.sg>
> +Date: Sat, 25 Apr 2026 18:33:17 +0800
> +Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed config
> + descriptor handling
> +
> +Two issues reachable from a malformed config descriptor returned by an
> +attached USB device, both surfaced by the same libFuzzer + ASan run.
> +
> +1) parse_interface() reads bNumEndpoints from the interface descriptor and
> +   increments usb_interface->num_altsetting before entering the inner loop
> +   that skips class/vendor specific descriptors ahead of the endpoint
> +   array. If that loop's bLength > size short-read branch fires, the
> +   function returns before the endpoint array is allocated, leaving the
> +   caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents
> +   endpoint as an array sized by bNumEndpoints, and the testlibusb and
> +   xusb examples both iterate it accordingly, so a NULL deref follows.
> +   Reset bNumEndpoints to 0 before returning so the invariant holds.
> +
> +2) The first-pass loop in parse_iad_array() compares header.bLength
> +   against the original size argument instead of the remaining bytes,
> +   so a single descriptor with bLength == size - 1 lets consumed reach
> +   size - 1 and the next iteration enters with only one byte of buffer
> +   left. The buf[1] read on the second line of the loop body lands one
> +   byte past the malloc allocation that backs the descriptor data. The
> +   sibling parsers parse_configuration() and parse_interface() in the
> +   same file already use the remaining-bytes form. Switch the IAD parser
> +   loop guard and bound check to match.
> +
> +Both code paths are reachable from public APIs 
> (libusb_get_*_config_descriptor
> +and libusb_get_*_interface_association_descriptors), with the malformed
> +input supplied by the attached device. Minimal reproducers are 20 and
> +9 bytes respectively.
> +
> +Fixes #1813
> +
> +CVE: CVE-2026-23679 CVE-2026-47104
> +Upstream-Status: Backport 
> [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231]
> +
> +Backport Changes:
> +- The upstream version_nano.h bump is omitted because this is a security
> +  backport to libusb 1.0.29, not a version upgrade.
> +
> +Signed-off-by: MarkLee131 <kaixuan...@ntu.edu.sg>
> +(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231)
> +Signed-off-by: Anil Dongare <adong...@cisco.com>
> +---
> + libusb/descriptor.c | 10 +++++++---
> + 1 file changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/libusb/descriptor.c b/libusb/descriptor.c
> +index 870883a..7d4f118 100644
> +--- a/libusb/descriptor.c
> ++++ b/libusb/descriptor.c
> +@@ -241,6 +241,10 @@ static int parse_interface(libusb_context *ctx,
> +                              usbi_warn(ctx,
> +                                        "short extra intf desc read %d/%u",
> +                                        size, header->bLength);
> ++                            /* Keep the invariant: bNumEndpoints > 0 implies
> ++                             * endpoint != NULL. The endpoint array isn't
> ++                             * allocated yet on this early return. */
> ++                            ifp->bNumEndpoints = 0;
> +                              return parsed;
> +                      }
> +
> +@@ -1365,7 +1369,7 @@ static int parse_iad_array(struct libusb_context *ctx,
> +
> +      /* First pass: Iterate through desc list, count number of IADs */
> +      iad_array->length = 0;
> +-    while (consumed < size) {
> ++    while (size - consumed >= DESC_HEADER_LENGTH) {
> +              header.bLength = buf[0];
> +              header.bDescriptorType = buf[1];
> +              if (header.bLength < DESC_HEADER_LENGTH) {
> +@@ -1373,9 +1377,9 @@ static int parse_iad_array(struct libusb_context *ctx,
> +                               header.bLength);
> +                      return LIBUSB_ERROR_IO;
> +              }
> +-            else if (header.bLength > size) {
> ++            else if (header.bLength > size - consumed) {
> +                      usbi_warn(ctx, "short config descriptor read %d/%u",
> +-                                      size, header.bLength);
> ++                                      size - consumed, header.bLength);
> +                      return LIBUSB_ERROR_IO;
> +              }
> +              if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
> +--
> +2.51.0
> +
> diff --git a/meta/recipes-support/libusb/libusb1_1.0.29.bb 
> b/meta/recipes-support/libusb/libusb1_1.0.29.bb
> index 856e32d1c6..d287ec171f 100644
> --- a/meta/recipes-support/libusb/libusb1_1.0.29.bb
> +++ b/meta/recipes-support/libusb/libusb1_1.0.29.bb
> @@ -14,6 +14,7 @@ BBCLASSEXTEND = "native nativesdk"
>
>  SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \
>             file://run-ptest \
> +           file://CVE-2026-23679_CVE-2026-47104.patch \
>             "
>
>  GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases";


--
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238867): 
https://lists.openembedded.org/g/openembedded-core/message/238867
Mute This Topic: https://lists.openembedded.org/mt/119813495/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-