| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260105080241.1261-3-qikeyu2017@gmail.com>
Date: Mon, 5 Jan 2026 16:02:43 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: gregkh@...uxfoundation.org
Cc: linux-kernel@...r.kernel.org,
Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc
Assure that the host may not manipulate the index to point past the
endpoint array.
In max3420_getstatus(), the driver uses the wIndex value from the
setup packet to obtain the endpoint index. However, there is no
check to ensure this index is within the valid bounds of the
udc->ep[] array.
A malicious host could send a USB_REQ_GET_STATUS request with a
large endpoint index, leading to an out-of-bounds memory access.
This patch adds a validation check against MAX3420_MAX_EPS. If the
endpoint index is invalid, the request is stalled.
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
drivers/usb/gadget/udc/max3420_udc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c
index 7349ea774adf..ac11ddf3fcbc 100644
--- a/drivers/usb/gadget/udc/max3420_udc.c
+++ b/drivers/usb/gadget/udc/max3420_udc.c
@@ -548,7 +548,11 @@ static void max3420_getstatus(struct max3420_udc *udc)
goto stall;
break;
case USB_RECIP_ENDPOINT:
- ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK];
+ u8 epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+
+ if (epnum >= MAX3420_MAX_EPS)
+ goto stall;
+ ep = &udc->ep[epnum];
if (udc->setup.wIndex & USB_DIR_IN) {
if (!ep->ep_usb.caps.dir_in)
goto stall;
--
2.34.1
Powered by blists - more mailing lists