| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1d014d1c-66f1-42cd-8890-0cce7e3963c2@rowland.harvard.edu> Date: Sat, 10 Jan 2026 17:08:17 -0500 From: Alan Stern <stern@...land.harvard.edu> To: pip-izony <eeodqql09@...il.com> Cc: Mathias Nyman <mathias.nyman@...el.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Kyungtae Kim <Kyungtae.Kim@...tmouth.edu>, Reyad Attiyat <reyad.attiyat@...il.com>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue() On Sat, Jan 10, 2026 at 01:34:21PM -0500, pip-izony wrote: > From: Seungjin Bae <eeodqql09@...il.com> > > The `xhci_urb_enqueue()` validates Bulk OUT transfers by checking if the > buffer length is a multiple of the packet size. However, it doesn't check > whether the endpoint's `wMaxPacketSize` is zero before using it as a > divisor in a modulo operation. > > If a malicious USB device sends a descriptor with `wMaxPacketSize` set to > 0, it triggers a divide-by-zero exception (kernel panic). This allows an > attacker with physical access to crash the system, leading to a Denial of > Service. How did you become aware of this problem? > Fix this by adding a check to ensure `wMaxPacketSize` is greater than 0 > before performing the modulo operation. Not necessary. This can never happen, because transfers to or from endpoints with wMaxPacketSize set to 0 are rejected in usb_submit_urb() with error code -EMSGSIZE. Alan Stern
Powered by blists - more mailing lists