From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C77931DE8B5 for ; Fri, 16 Jan 2026 15:27:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768577241; cv=none; b=bJB4g8eEbj8apLWpYuZUtqiW6y6VtjdH/KGiTsV92LXN4HyDiHw6obEZekqg0r9uIx2jhuFJaOV27e8asoFy0fVI5BXUv49uH/XuwfajrdPM572OJxnr9NdA708ChRjZ9m/owDdYNaG3LX5YNaZWMnno/jOs0XV8kyy7K7XueEE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768577241; c=relaxed/simple; bh=bTPYOOouPquKO44HMlzXvrAGEwcTTedUVwhA8Bjhl1E=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=qMP9LruNRQ8cH0AhG1N3FT2o/qgSNiGF8C/VJfrEkyufywPw3sooqOLD1H/mVofFtUzMe5cnT97QYaH+lRAaWEUxuDodup1jpzKO6+xNFBY+ZQD7IPvG6H5er33d39bMyHB9Rv8YyvCusjToY6YUiHoSkihrDwBvsyR9oW4YY50= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=sfcD63gN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="sfcD63gN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 06584C116C6; Fri, 16 Jan 2026 15:27:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1768577241; bh=bTPYOOouPquKO44HMlzXvrAGEwcTTedUVwhA8Bjhl1E=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=sfcD63gNqeHp2Te4kwxLMQDEolgwMkmIV8CpuMdyA8KDN4iq1ReWUNaXc73qoELQt wHaqC5W1CEsSVB3Z0B1xoOKwFpiMinLotOXdQoL/QLVXkO81lo/JZl4VsQLXTa51Dt TPPgxPNX1CaGd9h0myBx8Max0DRkgsmAicyObFCk= Date: Fri, 16 Jan 2026 16:27:18 +0100 From: Greg KH To: Kery Qi Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc Message-ID: <2026011619-creatable-suspend-d030@gregkh> References: <20260105080241.1261-3-qikeyu2017@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260105080241.1261-3-qikeyu2017@gmail.com> On Mon, Jan 05, 2026 at 04:02:43PM +0800, Kery Qi wrote: > Assure that the host may not manipulate the index to point past the > endpoint array. > > In max3420_getstatus(), the driver uses the wIndex value from the > setup packet to obtain the endpoint index. However, there is no > check to ensure this index is within the valid bounds of the > udc->ep[] array. > > A malicious host could send a USB_REQ_GET_STATUS request with a > large endpoint index, leading to an out-of-bounds memory access. > > This patch adds a validation check against MAX3420_MAX_EPS. If the > endpoint index is invalid, the request is stalled. > > Signed-off-by: Kery Qi > --- > drivers/usb/gadget/udc/max3420_udc.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c > index 7349ea774adf..ac11ddf3fcbc 100644 > --- a/drivers/usb/gadget/udc/max3420_udc.c > +++ b/drivers/usb/gadget/udc/max3420_udc.c > @@ -548,7 +548,11 @@ static void max3420_getstatus(struct max3420_udc *udc) > goto stall; > break; > case USB_RECIP_ENDPOINT: > - ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK]; > + u8 epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + > + if (epnum >= MAX3420_MAX_EPS) > + goto stall; > + ep = &udc->ep[epnum]; > if (udc->setup.wIndex & USB_DIR_IN) { > if (!ep->ep_usb.caps.dir_in) > goto stall; > -- > 2.34.1 > You didn't use scripts/get_maintainer.pl to determine what list to send this to :( Anyway, if you have a malicious USB host, then don't bind to it, we implicitly trust hosts in the kernel. Also, I don't think that this will protect anything here, see the thread on the linux-usb list in the past when this has come up: https://lore.kernel.org/r/20250629201324.30726-4-eeodqql09@gmail.com thanks, greg k-h