From nobody Sat Feb 7 15:35:18 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 242A12DC334 for ; Mon, 5 Jan 2026 08:05:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767600307; cv=none; b=EVd7vmKuOkgWwARYe/M4trTGgK5x4SU//4s2M9O0Io94WASVPhHaPLt0iaHI7vBW6BlIP2Oc/BIQW2mmi+3VjLoNd+SqkTIYn7Jlt7z72nWwhSEyU6RymS5jqeWo//05rwT52R7zpJdBip7qPppp5NurlHAzmF15AjDqc6EXdXo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767600307; c=relaxed/simple; bh=9IEnsCE8EmfKR26zPsK68d+Ax2SWyvumw2uJ6SLCDzU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=XSJpel8jtdBxYTnjiqLqz+0hqomWPCgcxRlJ9Uu8WKg3VWxxSgWQ4kkhNbcEzW1DbhMZ40JmqQv3WHr4pI3ewHyeHfbV2lJ/ZTFHa+CeExC+gpvQAQVP/jjkz+/j0TVALc076L+lKfmqd2iNcGxmJZ2dYTk8WUufbQBDmQXVO8A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Rb35a0OP; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Rb35a0OP" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-47d63594f7eso22046205e9.0 for ; Mon, 05 Jan 2026 00:05:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767600303; x=1768205103; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zIyOppgg1FdYEPMgNc2RmqM5JTXCZay/cLbbKZwD95c=; b=Rb35a0OPdAfoPZYUv4kyMkgT6x7so9ZFQB6HRA61mEPD67rAlLqF7EaMnbXIOPtlnv lRMH/k+gxftaU4fOyOYIgqjnz26rQNE6rpMOjGiixsc4QD+3Ob8SVVfSn2gkdLeVJxOx xGFBnIZ7NU9sn7UeH1YO+oL3TXduUVHxczG9T8nJJaOW/LgszOdj6AsD71VdfyTfLGTp bqhloxXvXU5FaMeFZtTOyOf9m3S1dWOb3Y//DVi9buF+Vwa5EuJirBNZP3KQ08TRJ+Cb VQl2SkLs4CG5TIBI0afmDr02z55unJX+9dNnFrVRhBjZnigs0oldNbyflciU2QG5LMt6 kiqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767600303; x=1768205103; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zIyOppgg1FdYEPMgNc2RmqM5JTXCZay/cLbbKZwD95c=; b=knCd2TA9ZrmLOG/+Md58H3P49qVL6uRATX5/zDIIMnvmrAlIZu5/5hhT8UOKaJ18gL jwUHbLzY1B8ECGXgs6CbJSRT1lM/0JNof0EPuDonbE9nDaq3hY4uDIrsGctLOnW6tnNz lr6fa+PlKwz5baHjGx/wtHuuKOj3IDQ4lsuiA8hU5MX0LKjx5pEfLzcY1HFImvLCTxQV pUqj2gelbk3mY480I5WkcJbBzKk0UmJt2oHrzI5w+x0S2Xa7eVmgBCNdHaZ8ZBbQ1IS8 uQbXh5gCTHv1RwPklOkHRQpCrs+sVtpeDq+xClYRt55R1MDFXgtV3rPUfr62froNsQSx 6nOw== X-Gm-Message-State: AOJu0Yw8MxB6YlPjPALwRoq2ai1VHx142qbSaPK29q8dtGMy4o6i65VN l8bwqxPFIsCUzBfV9xLcHNTLe5EUWAQILz/nk8L81uBj8x2mX01/41Q= X-Gm-Gg: AY/fxX6slIE75N/AKy+av0sgfwzkcPyz+AnH3BmvWqPDcC+5NxJ4+U8LmXukf+80hdp ZwWK7aGVy1oq2nQSF6iZ4+tPp1g1t23LsY+j4GXI8++Xddb6nMWFdU3sDKNQk3dymb1bizOLqCq ZUtCQusjoMHoo+MUpQn66XsZaIPlaKZs1Gz5wIxCizmKIMn9C4BbO+HVDtaauva+tn5g4UEKF2z J8dr+0uHAQ+SDyHJIr7Ot6IG3Rbq29K8Y6aCVzZsYLH5rYSqRXDKBDrmNiIVMB1olUwl+TDmaBt g0Bz6GyecOXeQ4BafPCt9GyfzAATbLEfPnlv6To7PkKbKjIt+tMxrenXMp72EB+tNEcatOamAD2 eUMMdr/nFB4T0x8L4Fp9suBsPoELsIBSZolCLwdvspj2U7xa2lvhBjNMTp7Cc2ZLlxRpdtc26TO nbii/TLVcmPNKY X-Google-Smtp-Source: AGHT+IH9rMdQ2JfuT/ZL4iXw2b7zUEAnbHTEByZo3I9ZjHhfF6wrDV8MynUEtEtFZEvFKTHRgHH3Fw== X-Received: by 2002:a05:600c:c08a:b0:47a:935f:618e with SMTP id 5b1f17b1804b1-47d197f65a6mr482715495e9.15.1767600302948; Mon, 05 Jan 2026 00:05:02 -0800 (PST) Received: from DESKTOP-BKIPFGN ([45.43.86.16]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d13e2bdsm141340915e9.3.2026.01.05.00.05.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:05:02 -0800 (PST) From: Kery Qi To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Kery Qi Subject: [PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc Date: Mon, 5 Jan 2026 16:02:43 +0800 Message-ID: <20260105080241.1261-3-qikeyu2017@gmail.com> X-Mailer: git-send-email 2.50.1.windows.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Assure that the host may not manipulate the index to point past the endpoint array. In max3420_getstatus(), the driver uses the wIndex value from the setup packet to obtain the endpoint index. However, there is no check to ensure this index is within the valid bounds of the udc->ep[] array. A malicious host could send a USB_REQ_GET_STATUS request with a large endpoint index, leading to an out-of-bounds memory access. This patch adds a validation check against MAX3420_MAX_EPS. If the endpoint index is invalid, the request is stalled. Signed-off-by: Kery Qi --- drivers/usb/gadget/udc/max3420_udc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/= max3420_udc.c index 7349ea774adf..ac11ddf3fcbc 100644 --- a/drivers/usb/gadget/udc/max3420_udc.c +++ b/drivers/usb/gadget/udc/max3420_udc.c @@ -548,7 +548,11 @@ static void max3420_getstatus(struct max3420_udc *udc) goto stall; break; case USB_RECIP_ENDPOINT: - ep =3D &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK]; + u8 epnum =3D udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + + if (epnum >=3D MAX3420_MAX_EPS) + goto stall; + ep =3D &udc->ep[epnum]; if (udc->setup.wIndex & USB_DIR_IN) { if (!ep->ep_usb.caps.dir_in) goto stall; --=20 2.34.1