| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251006140631.1406643-1-Pavel.Zhigulin@kaspersky.com>
Date: Mon, 6 Oct 2025 17:06:30 +0300
From: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>, Peter Korsgaard
<jacmet@...site.dk>, <linux-usb@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH] usb: c67x00 - fix potential division by zero in c67x00_end_of_data()
The function 'usb_maxpacket' relies on the value of 'epd->wMaxPacketSize',
which can be zero if the device reports itself as an eUSB2 device
(see 'usb_parse_endpoint' in drivers/usb/core/config.c). Under normal
conditions everything works correctly, but if a broken or malformed
device is handled by this module, a division by zero may occur.
Fix the division by zero by checking the result of the 'usb_maxpacket'
call.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e9b29ffc519b ("USB: add Cypress c67x00 OTG controller HCD driver")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>
---
drivers/usb/c67x00/c67x00-sched.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/c67x00/c67x00-sched.c b/drivers/usb/c67x00/c67x00-sched.c
index a09fa68a6ce7..3211843497cc 100644
--- a/drivers/usb/c67x00/c67x00-sched.c
+++ b/drivers/usb/c67x00/c67x00-sched.c
@@ -868,6 +868,9 @@ static inline int c67x00_end_of_data(struct c67x00_td *td)
maxps = usb_maxpacket(td_udev(td), td->pipe);
+ if (unlikely(!maxps))
+ return 1;
+
if (unlikely(act_bytes < maxps))
return 1; /* Smaller then full packet */
--
2.43.0
Powered by blists - more mailing lists