lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALEuBanDC_8YfPsbh6P-S4aBwih3WqofOg+3oN6PwF+noeyRdg@mail.gmail.com>
Date: Thu, 22 Jan 2026 18:16:08 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: balbi@...nel.org, jaswinder.singh@...aro.org, linux-usb@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] USB: gadget: validate endpoint index for max3420 udc

Hi greg k-h,

Thank you for your response.

I'd like to clarify that I found this issue by performing variant analysis
based on commit 7f14c7227f342d9932f9b918893c8814f86d2a0d ("USB: gadget:
validate endpoint index for xilinx udc"). That commit fixed the missing
endpoint index validation in udc-xilinx.c before accessing the endpoint
array, and was accepted into the kernel. I searched for similar patterns
in other UDC drivers and found that max3420_udc.c has the same issue -
MAX3420_MAX_EPS is only 4 while USB_ENDPOINT_NUMBER_MASK allows values
0-15, so both max3420_getstatus() and max3420_set_clear_feature() can
access udc->ep[] out of bounds without validation.

If there was a previous discussion about this specific driver that I
missed, I would appreciate a pointer to that thread.

Thanks,

Kery

Greg KH <gregkh@...uxfoundation.org> 于2026年1月22日周四 13:32写道:
>
> On Thu, Jan 22, 2026 at 04:39:45AM +0800, Kery Qi wrote:
> > The max3420_getstatus() and max3420_set_clear_feature() functions use
> > the endpoint index from USB setup packet's wIndex field to access the
> > endpoint array. The index is masked with USB_ENDPOINT_NUMBER_MASK (0x0f),
> > which allows values 0-15, but the endpoint array (udc->ep) only has
> > MAX3420_MAX_EPS (4) elements.
> >
> > A malicious USB host can send a specially crafted control request with
> > an invalid endpoint index (>= 4) to trigger an out-of-bounds array access,
> > potentially leading to information disclosure or kernel memory corruption.
> >
> > Add validation to ensure the endpoint index is within bounds before
> > accessing the endpoint array.
>
> We've been through this before, please read the archives for the last
> time this was attempted to be submitted, and go and fix the tool you are
> using to find these.
>
> thanks,
>
> greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ