| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240625020326.2564860-1-make24@iscas.ac.cn> Date: Tue, 25 Jun 2024 10:03:26 +0800 From: Ma Ke <make24@...as.ac.cn> To: neal_liu@...eedtech.com, gregkh@...uxfoundation.org, joel@....id.au, andrew@...econstruct.com.au Cc: linux-aspeed@...ts.ozlabs.org, linux-usb@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, Ma Ke <make_ruc2021@....com> Subject: [PATCH v3] usb: gadget: aspeed_udc: validate endpoint index for ast udc From: Ma Ke <make_ruc2021@....com> We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis. Signed-off-by: Ma Ke <make_ruc2021@....com> --- Changes in v3: - added the changelog as suggested. Changes in v2: - use correct macro-defined constants as suggested; - explain the method for finding and testing vulnearabilities. --- drivers/usb/gadget/udc/aspeed_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index 3916c8e2ba01..d972ef4644bc 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc) break; case USB_RECIP_ENDPOINT: epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (epnum >= AST_UDC_NUM_ENDPOINTS) + goto stall; status = udc->ep[epnum].stopped; break; default: -- 2.25.1
Powered by blists - more mailing lists