lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260121203944.1898-2-qikeyu2017@gmail.com>
Date: Thu, 22 Jan 2026 04:39:45 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: gregkh@...uxfoundation.org
Cc: balbi@...nel.org,
	jaswinder.singh@...aro.org,
	linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] USB: gadget: validate endpoint index for max3420 udc

The max3420_getstatus() and max3420_set_clear_feature() functions use
the endpoint index from USB setup packet's wIndex field to access the
endpoint array. The index is masked with USB_ENDPOINT_NUMBER_MASK (0x0f),
which allows values 0-15, but the endpoint array (udc->ep) only has
MAX3420_MAX_EPS (4) elements.

A malicious USB host can send a specially crafted control request with
an invalid endpoint index (>= 4) to trigger an out-of-bounds array access,
potentially leading to information disclosure or kernel memory corruption.

Add validation to ensure the endpoint index is within bounds before
accessing the endpoint array.

Fixes: 48ba02b2e2b1a ("usb: gadget: add udc driver for max3420")
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
 drivers/usb/gadget/udc/max3420_udc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c
index 7349ea774adf..9d183a986380 100644
--- a/drivers/usb/gadget/udc/max3420_udc.c
+++ b/drivers/usb/gadget/udc/max3420_udc.c
@@ -548,6 +548,9 @@ static void max3420_getstatus(struct max3420_udc *udc)
 			goto stall;
 		break;
 	case USB_RECIP_ENDPOINT:
+		if ((udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK)
+				>= MAX3420_MAX_EPS)
+			goto stall;
 		ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK];
 		if (udc->setup.wIndex & USB_DIR_IN) {
 			if (!ep->ep_usb.caps.dir_in)
@@ -596,6 +599,8 @@ static void max3420_set_clear_feature(struct max3420_udc *udc)
 			break;
 
 		id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+		if (id >= MAX3420_MAX_EPS)
+			break;
 		ep = &udc->ep[id];
 
 		spin_lock_irqsave(&ep->lock, flags);
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ