[Virtualbox][CVE-2020-2575] 분석

int vusbUrbSubmit(PVUSBURB pUrb) { ... /* * Check that the device is in a valid state. */ const VUSBDEVICESTATE enmState = vusbDevGetState(pDev); if (enmState == VUSB_DEVICE_STATE_RESET) { LogRel(("VUSB: %s: power off ignored, the device is resetting!\n", pDev->pUsbIns->pszName)); pUrb->enmStatus = VUSBSTATUS_DNR; /* This will postpone the TDs until we're done with the resetting. */ return VERR_VUSB_DEVICE_IS_RESETTING; } ... if (pUrb->EndPt >= VUSB_PIPE_MAX) { Log(("%s: pDev=%p[%s]: SUBMIT: ep %i >= %i!!!\n", pUrb->pszDesc, pDev, pDev->pUsbIns->pszName, pUrb->EndPt, VUSB_PIPE_MAX)); return vusbUrbSubmitHardError(pUrb); } ... if (!pEndPtDesc) { Log(("%s: pDev=%p[%s]: SUBMIT: no endpoint!!! dir=%s e=%i\n", pUrb->pszDesc, pDev, pDev->pUsbIns->pszName, vusbUrbDirName(pUrb->enmDir), pUrb->EndPt)); return vusbUrbSubmitHardError(pUrb); } ... pUrb->enmState = VUSBURBSTATE_IN_FLIGHT; switch (pUrb->enmType) { case VUSBXFERTYPE_CTRL: rc = vusbUrbSubmitCtrl(pUrb); //여기서 터지는 취약점임. break; case VUSBXFERTYPE_BULK: rc = vusbUrbSubmitBulk(pUrb); break; case VUSBXFERTYPE_INTR: rc = vusbUrbSubmitInterrupt(pUrb); break; case VUSBXFERTYPE_ISOC: rc = vusbUrbSubmitIsochronous(pUrb); break; default: AssertMsgFailed(("Unexpected pUrb type %d\n", pUrb->enmType)); return vusbUrbSubmitHardError(pUrb); } ... else if ( RT_FAILURE(rc) && !ASMAtomicReadU32(&pDev->aPipes[pUrb->EndPt].async) /* && pUrb->enmType == VUSBXFERTYPE_BULK ?? */ && !vusbUrbErrorRh(pUrb)) { /* don't retry it anymore. */ pUrb->enmState = VUSBURBSTATE_REAPED; pUrb->enmStatus = VUSBSTATUS_CRC; vusbUrbCompletionRh(pUrb); return VINF_SUCCESS; } return rc; }