From: Greg KH <gregkh@linuxfoundation.org>
To: Sergio Perez Gonzalez <sperezglz@gmail.com>
Cc: michal.simek@amd.com, linux-usb@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, shuah@kernel.org
Subject: Re: [PATCH] usb: gadget: udc-xilinx: validate ep number before indexing rambase[]
Date: Sat, 28 Jun 2025 17:04:53 +0200 [thread overview]
Message-ID: <2025062834-botanist-crop-4aec@gregkh> (raw)
In-Reply-To: <20250627060125.176663-1-sperezglz@gmail.com>
On Fri, Jun 27, 2025 at 12:01:22AM -0600, Sergio Perez Gonzalez wrote:
> Issue flagged by coverity. The size of the rambase array is 8,
> usb_enpoint_num() can return 0 to 15, prevent out of bounds reads.
But how can that happen with this hardware? As the array states, this
hardware only has that many endpoints availble to it, so how can it ever
be larger?
> Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=1644635
> Signed-off-by: Sergio Perez Gonzalez <sperezglz@gmail.com>
What commit id does this fix?
> ---
> drivers/usb/gadget/udc/udc-xilinx.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c
> index 8d803a612bb1..0c3714de2e3b 100644
> --- a/drivers/usb/gadget/udc/udc-xilinx.c
> +++ b/drivers/usb/gadget/udc/udc-xilinx.c
> @@ -814,6 +814,12 @@ static int __xudc_ep_enable(struct xusb_ep *ep,
> ep->is_in = ((desc->bEndpointAddress & USB_DIR_IN) != 0);
> /* Bit 3...0:endpoint number */
> ep->epnumber = usb_endpoint_num(desc);
> + if (ep->epnumber >= XUSB_MAX_ENDPOINTS) {
> + dev_dbg(udc->dev, "bad endpoint index %d: only 0 to %d supported\n",
> + ep->epnumber, (XUSB_MAX_ENDPOINTS - 1));
> + return -EINVAL;
Any hints as to how this was tested?
thanks,
greg k-h
next prev parent reply other threads:[~2025-06-28 15:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 6:01 [PATCH] usb: gadget: udc-xilinx: validate ep number before indexing rambase[] Sergio Perez Gonzalez
2025-06-28 15:04 ` Greg KH [this message]
2025-06-30 20:20 ` Sergio Pérez
2025-07-01 8:43 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025062834-botanist-crop-4aec@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=michal.simek@amd.com \
--cc=shuah@kernel.org \
--cc=sperezglz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox