From: pip-izony <eeodqql09@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Jassi Brar <jaswinder.singh@linaro.org>,
Felipe Balbi <balbi@kernel.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2 1/2] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access
Date: Sun, 13 Jul 2025 12:05:40 -0400 [thread overview]
Message-ID: <20250713160540.125960-1-eeodqql09@gmail.com> (raw)
In-Reply-To: <2025063044-uninvited-simplify-0420@gregkh>
> Also, you sent 2 patches, with identical subject lines, but they did
> different things. That's not ok as you know.
My apologies for the mistake. I will separate them properly in the
next version of the patch series.
> And I think you really need to test this on hardware. How could that
> request ever have a windex set to greater than 3? Is that a hardware
> value or a user-controlled value?
The wIndex field of a SETUP packet is sent by the USB host and can
be controlled by a malicious or malformed host.
This same class of vulnerability was identified and fixed in other
UDC drivers, as described in CVE-2022-27223 and fixed in the xilinx
UDC driver by commit 7f14c7227f34 ("USB: gadget: validate endpoint
index for xilinx udc").
Following this established pattern, I added the necessary bounds
check to the max3420_udc driver before wIndex is used to access
the endpoint array.
Thank you.
Seungjin Bae
next prev parent reply other threads:[~2025-07-13 16:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-29 20:13 [PATCH] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access Seungjin Bae
2025-06-29 21:49 ` [PATCH v2 1/2] " Seungjin Bae
2025-06-30 4:56 ` Greg Kroah-Hartman
2025-07-13 16:05 ` pip-izony [this message]
2025-06-29 21:49 ` [PATCH v2 2/2] " Seungjin Bae
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250713160540.125960-1-eeodqql09@gmail.com \
--to=eeodqql09@gmail.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jaswinder.singh@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox