lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4d714043-bf6c-46f2-b7c5-a41b37d4e0ba@linux.intel.com>
Date: Mon, 12 Jan 2026 11:30:10 +0200
From: Mathias Nyman <mathias.nyman@...ux.intel.com>
To: Alan Stern <stern@...land.harvard.edu>, pip-izony <eeodqql09@...il.com>
Cc: Mathias Nyman <mathias.nyman@...el.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Kyungtae Kim <Kyungtae.Kim@...tmouth.edu>,
 Reyad Attiyat <reyad.attiyat@...il.com>, linux-usb@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] usb: xhci: fix potential divide-by-zero in
 xhci_urb_enqueue()

On 1/11/26 00:08, Alan Stern wrote:
> On Sat, Jan 10, 2026 at 01:34:21PM -0500, pip-izony wrote:
>> From: Seungjin Bae <eeodqql09@...il.com>
>>
>> The `xhci_urb_enqueue()` validates Bulk OUT transfers by checking if the
>> buffer length is a multiple of the packet size. However, it doesn't check
>> whether the endpoint's `wMaxPacketSize` is zero before using it as a
>> divisor in a modulo operation.
>>
>> If a malicious USB device sends a descriptor with `wMaxPacketSize` set to
>> 0, it triggers a divide-by-zero exception (kernel panic). This allows an
>> attacker with physical access to crash the system, leading to a Denial of
>> Service.
> 
> How did you become aware of this problem?
> 
>> Fix this by adding a check to ensure `wMaxPacketSize` is greater than 0
>> before performing the modulo operation.
> 
> Not necessary.  This can never happen, because transfers to or from
> endpoints with wMaxPacketSize set to 0 are rejected in usb_submit_urb()
> with error code -EMSGSIZE.
> 

Only special embedded high-speed eUSB double isoch bandwidth devices can have
isoch endpoints with wMaxPacketSize set to zero.

This divide by zero case is only an issue for Bulk OUT endpoints, which as Alan
said, will be rejected by usb_submit_urb()

Thanks
Mathias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ