From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E18631EB5E3 for ; Fri, 16 Jan 2026 15:27:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768577253; cv=none; b=puUWVpEBNIS1KhuZ5HPas9YDUaGgX77w6JDpQIjTF63bA4J5DgQhU39gQIfeFJYLyCktVTsF0p3g6sShjMnGzSm+hs27cHFUzJC65q1T+g6RSZzMf1DOdigbm29s+2hCfCS01hdWlOYL32gU+VRVs8nWlSmussUPoAW4oyXnwPI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768577253; c=relaxed/simple; bh=6nyHzxYBmsP9W1LJca+oimo4j2fYpamxZZwBGB12qho=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=peIkdM5QVaKaOMBzAfJ9ME1vvAfRvsEV7+0JBgyG8J2xiwEPGf0S7n5XkNX7ElBvIafkEOsZ0v1IupOqWvrf+7KXcKsFuQgoVUf20gdM9BHh5AM59zEG/p/NiO9JUp7OR59gbGZXHxHMK0rSlraN9qRjJcbbjagFO2g7PJNTUno= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=tBsbtjm5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="tBsbtjm5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 44AF9C16AAE; Fri, 16 Jan 2026 15:27:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1768577252; bh=6nyHzxYBmsP9W1LJca+oimo4j2fYpamxZZwBGB12qho=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=tBsbtjm5fznQkgnXNZ2s4SBf7liN38YZPiHAU1MWrq51E6Z9cqqaXZst2Vl1EwFgW UuGMWDw8ddE241bUmDAbUzebuwQi0ZtyDMhgpCJUqpIGlvJa5yLc27ti8eaMdnxes8 MJMTBwyNEPAZrXGumGX07DjuwXLK6TE3rhI3hstc= Date: Fri, 16 Jan 2026 16:27:30 +0100 From: Greg KH To: Kery Qi Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH] USB: gadget: max3420: validate endpoint index in set_clear_feature Message-ID: <2026011622-finalist-gleaming-d275@gregkh> References: <20260105081402.1287-2-qikeyu2017@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260105081402.1287-2-qikeyu2017@gmail.com> On Mon, Jan 05, 2026 at 04:14:02PM +0800, Kery Qi wrote: > Assure that the host may not manipulate the index to point past the > endpoint array. > > In max3420_set_clear_feature(), the driver derives the endpoint > index from the wIndex field of the setup packet. However, there is > no check to ensure this index is within the valid bounds of the > udc->ep[] array. > > A malicious host could send a USB_REQ_SET_FEATURE or > USB_REQ_CLEAR_FEATURE request with a large endpoint index, leading > to an out-of-bounds memory access when accessing udc->ep[id]. > > This patch adds a validation check against MAX3420_MAX_EPS. If the > endpoint index is invalid, we simply break the switch statement > to invoke the existing error handling path. > > Signed-off-by: Kery Qi > --- > drivers/usb/gadget/udc/max3420_udc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c > index ac11ddf3fcbc..f4f549d88d6d 100644 > --- a/drivers/usb/gadget/udc/max3420_udc.c > +++ b/drivers/usb/gadget/udc/max3420_udc.c > @@ -600,6 +600,8 @@ static void max3420_set_clear_feature(struct max3420_udc *udc) > break; > > id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (id >= MAX3420_MAX_EPS) > + break; > ep = &udc->ep[id]; > > spin_lock_irqsave(&ep->lock, flags); > -- > 2.34.1 > Same problems here as your other patch :(