lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2026012246-yeast-attempt-1ca1@gregkh>
Date: Thu, 22 Jan 2026 06:32:22 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Kery Qi <qikeyu2017@...il.com>
Cc: balbi@...nel.org, jaswinder.singh@...aro.org, linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB: gadget: validate endpoint index for max3420 udc

On Thu, Jan 22, 2026 at 04:39:45AM +0800, Kery Qi wrote:
> The max3420_getstatus() and max3420_set_clear_feature() functions use
> the endpoint index from USB setup packet's wIndex field to access the
> endpoint array. The index is masked with USB_ENDPOINT_NUMBER_MASK (0x0f),
> which allows values 0-15, but the endpoint array (udc->ep) only has
> MAX3420_MAX_EPS (4) elements.
> 
> A malicious USB host can send a specially crafted control request with
> an invalid endpoint index (>= 4) to trigger an out-of-bounds array access,
> potentially leading to information disclosure or kernel memory corruption.
> 
> Add validation to ensure the endpoint index is within bounds before
> accessing the endpoint array.

We've been through this before, please read the archives for the last
time this was attempted to be submitted, and go and fix the tool you are
using to find these.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ