1. Patchew
  2. linux
  3. View series

[PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc

Kery Qi posted 1 patch 1 month ago 
drivers/usb/gadget/udc/max3420_udc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc
Posted by Kery Qi 1 month ago 
Assure that the host may not manipulate the index to point past the
endpoint array.

In max3420_getstatus(), the driver uses the wIndex value from the
setup packet to obtain the endpoint index. However, there is no
check to ensure this index is within the valid bounds of the
udc->ep[] array.

A malicious host could send a USB_REQ_GET_STATUS request with a
large endpoint index, leading to an out-of-bounds memory access.

This patch adds a validation check against MAX3420_MAX_EPS. If the
endpoint index is invalid, the request is stalled.

Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 drivers/usb/gadget/udc/max3420_udc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c
index 7349ea774adf..ac11ddf3fcbc 100644
--- a/drivers/usb/gadget/udc/max3420_udc.c
+++ b/drivers/usb/gadget/udc/max3420_udc.c
@@ -548,7 +548,11 @@ static void max3420_getstatus(struct max3420_udc *udc)
 			goto stall;
 		break;
 	case USB_RECIP_ENDPOINT:
-		ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK];
+		u8 epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+
+		if (epnum >= MAX3420_MAX_EPS)
+			goto stall;
+		ep = &udc->ep[epnum];
 		if (udc->setup.wIndex & USB_DIR_IN) {
 			if (!ep->ep_usb.caps.dir_in)
 				goto stall;
-- 
2.34.1
Re: [PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc
Posted by Greg KH 3 weeks ago 
On Mon, Jan 05, 2026 at 04:02:43PM +0800, Kery Qi wrote:
> Assure that the host may not manipulate the index to point past the
> endpoint array.
> 
> In max3420_getstatus(), the driver uses the wIndex value from the
> setup packet to obtain the endpoint index. However, there is no
> check to ensure this index is within the valid bounds of the
> udc->ep[] array.
> 
> A malicious host could send a USB_REQ_GET_STATUS request with a
> large endpoint index, leading to an out-of-bounds memory access.
> 
> This patch adds a validation check against MAX3420_MAX_EPS. If the
> endpoint index is invalid, the request is stalled.
> 
> Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
> ---
>  drivers/usb/gadget/udc/max3420_udc.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c
> index 7349ea774adf..ac11ddf3fcbc 100644
> --- a/drivers/usb/gadget/udc/max3420_udc.c
> +++ b/drivers/usb/gadget/udc/max3420_udc.c
> @@ -548,7 +548,11 @@ static void max3420_getstatus(struct max3420_udc *udc)
>  			goto stall;
>  		break;
>  	case USB_RECIP_ENDPOINT:
> -		ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK];
> +		u8 epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
> +
> +		if (epnum >= MAX3420_MAX_EPS)
> +			goto stall;
> +		ep = &udc->ep[epnum];
>  		if (udc->setup.wIndex & USB_DIR_IN) {
>  			if (!ep->ep_usb.caps.dir_in)
>  				goto stall;
> -- 
> 2.34.1
> 

You didn't use scripts/get_maintainer.pl to determine what list to send
this to :(

Anyway, if you have a malicious USB host, then don't bind to it, we
implicitly trust hosts in the kernel.  Also, I don't think that this
will protect anything here, see the thread on the linux-usb list in the
past when this has come up:
	https://lore.kernel.org/r/20250629201324.30726-4-eeodqql09@gmail.com

thanks,

greg k-h

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.