| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260105081402.1287-2-qikeyu2017@gmail.com> Date: Mon, 5 Jan 2026 16:14:02 +0800 From: Kery Qi <qikeyu2017@...il.com> To: gregkh@...uxfoundation.org Cc: linux-kernel@...r.kernel.org, Kery Qi <qikeyu2017@...il.com> Subject: [PATCH] USB: gadget: max3420: validate endpoint index in set_clear_feature Assure that the host may not manipulate the index to point past the endpoint array. In max3420_set_clear_feature(), the driver derives the endpoint index from the wIndex field of the setup packet. However, there is no check to ensure this index is within the valid bounds of the udc->ep[] array. A malicious host could send a USB_REQ_SET_FEATURE or USB_REQ_CLEAR_FEATURE request with a large endpoint index, leading to an out-of-bounds memory access when accessing udc->ep[id]. This patch adds a validation check against MAX3420_MAX_EPS. If the endpoint index is invalid, we simply break the switch statement to invoke the existing error handling path. Signed-off-by: Kery Qi <qikeyu2017@...il.com> --- drivers/usb/gadget/udc/max3420_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c index ac11ddf3fcbc..f4f549d88d6d 100644 --- a/drivers/usb/gadget/udc/max3420_udc.c +++ b/drivers/usb/gadget/udc/max3420_udc.c @@ -600,6 +600,8 @@ static void max3420_set_clear_feature(struct max3420_udc *udc) break; id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (id >= MAX3420_MAX_EPS) + break; ep = &udc->ep[id]; spin_lock_irqsave(&ep->lock, flags); -- 2.34.1
Powered by blists - more mailing lists