[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2025062834-botanist-crop-4aec@gregkh>
Date: Sat, 28 Jun 2025 17:04:53 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Sergio Perez Gonzalez <sperezglz@...il.com>
Cc: michal.simek@....com, linux-usb@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
shuah@...nel.org
Subject: Re: [PATCH] usb: gadget: udc-xilinx: validate ep number before
indexing rambase[]
On Fri, Jun 27, 2025 at 12:01:22AM -0600, Sergio Perez Gonzalez wrote:
> Issue flagged by coverity. The size of the rambase array is 8,
> usb_enpoint_num() can return 0 to 15, prevent out of bounds reads.
But how can that happen with this hardware? As the array states, this
hardware only has that many endpoints availble to it, so how can it ever
be larger?
> Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=1644635
> Signed-off-by: Sergio Perez Gonzalez <sperezglz@...il.com>
What commit id does this fix?
> ---
> drivers/usb/gadget/udc/udc-xilinx.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c
> index 8d803a612bb1..0c3714de2e3b 100644
> --- a/drivers/usb/gadget/udc/udc-xilinx.c
> +++ b/drivers/usb/gadget/udc/udc-xilinx.c
> @@ -814,6 +814,12 @@ static int __xudc_ep_enable(struct xusb_ep *ep,
> ep->is_in = ((desc->bEndpointAddress & USB_DIR_IN) != 0);
> /* Bit 3...0:endpoint number */
> ep->epnumber = usb_endpoint_num(desc);
> + if (ep->epnumber >= XUSB_MAX_ENDPOINTS) {
> + dev_dbg(udc->dev, "bad endpoint index %d: only 0 to %d supported\n",
> + ep->epnumber, (XUSB_MAX_ENDPOINTS - 1));
> + return -EINVAL;
Any hints as to how this was tested?
thanks,
greg k-h
Powered by blists - more mailing lists