From nobody Sat Feb 7 15:12:22 2026 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9DDD30DEC7 for ; Mon, 5 Jan 2026 08:14:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767600893; cv=none; b=uoC6+x3KO+hjPCbyak4FcV/fuKrIQJJQD/wXDcBieFoLtZCeb2AJYRSZ5sg8tqegIP8WqyAFvGsKHOn9QlttwOHlUNrnEp/MqwIUdCwjtM2hUOhxfDIsxwZh7+XUG6S4gp0f6+XUGZ/VXybwTFm0Ok06blpWbql9W70qACbtEr0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767600893; c=relaxed/simple; bh=d7KfJ1yuCd0l9pk3j0R4EH9yzUuob7X+rM34rUOdTrw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=kzgcGJVNEGLiMAzEHvAHZOvaULG+tu++z9mTuES8OlePmYveIMJ4stPkDodAzJf1O4TSc2PQlE10C45/WlISofdHPMD8Cako2SZRS+39aGxkZqZwtpCAezdfHYBJ3Llz9LobNy526yxCxfnHAlv8lb7I9Ge8e1X99hmva9Y4VrU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=elAKku8E; arc=none smtp.client-ip=209.85.167.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="elAKku8E" Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-598f8136a24so15419077e87.3 for ; Mon, 05 Jan 2026 00:14:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767600888; x=1768205688; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0SxI+/OeeVAG8Qyb7twKH+3QrxNScwaJWY4Mb3ZhShE=; b=elAKku8E1wvsVMYHegbTKvQ5he/5TJD2AN4BcmL922oNxoOLwICt/VvfmlqoAWDdCM MDNuV2kgrMo74Z80ZFFabPxznS1BSET95t5CXgUR9hOhHY1BTr4QlEiqMcLSGwWk0ci+ 7gxerEOXP3K3r+dxmSB2DD2omARfVY7J2i4tg2+GxLQDIqp2Dr7YQR1HFa+2XWSgrV2D oPwnYzwZUVVZ9Y/y2pEpXsOyKlERFf/4KAZcByLaM3a6+wJkpjG3lXFLvYTWurmhb8zS xiejycPvFqrlqqRKPuNBKl7CivopOI44DhK3YVmHeHymI//FXvqZ9bvNTKI/dpnVSmNv Wn/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767600888; x=1768205688; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0SxI+/OeeVAG8Qyb7twKH+3QrxNScwaJWY4Mb3ZhShE=; b=f2eEGVB8CSjAp9QvhlWjwAiKSzJXhAeyiLWgH3pfGhtS1/9K/V59IY/15Lh2EoxYVQ U1dkAGVWicx2D5OJAiyz16z3OR8h1UTnxIqZGwIK+p/l4E7yANGNNBtYM1GSkkTfrQya m+QG0tHZdLkgva3m8TKAmn+HUuS9zorLHhj+jnkKoCvlnm0Wmu5OQXNZ+4RLj7tVrXer apEZyJsLRQjPVaZ92yG1ETaxWzhlDl5NiKwgBeqZnVfwwae1NV0niocQ3YlvaZPho9ui jtI+eSFUkX+rEXsxL8URNjei8xhZMH2/k/1/YQqtmxNsZs8DqtTYYi8pp37POo6lPdit hNFA== X-Gm-Message-State: AOJu0Yx/Z7ztE3V0+3rXYWE4gn6nkIihY60+nRLbe9QhySYZ/eOHqoFm dFd5Gm7tSr2h+tti1Jv+27gMZ8arBScLaIvdTDhqwq79Z8FQTD4u4orYh6f/WFA43q3d8l4= X-Gm-Gg: AY/fxX4WImHlkZgdFMeOgShQPofzdGz+/AqnkH7Jyi7hfiZdXRQUzjeijmemwFg+Mtx GXRa+2FVdtN1xs72NwCtuz9Kn1kcHPMTuo6EkgIJfAM4Ckzr5PIFoYUXvnYeTbqIWwi++I0GseP fVp25rWMyt79pME/WUlniEZx1z1iiPsGfU+n23Qw0nCRwNcuY6puPtSJ5O7YuqmxtysbFq5JfU2 M8cv9nwaPh7HJr+ftIIbnLP2Sz86dr4t4UVNaYWXql5j47BxXkx9tIBYgtR6EtcyyP4BkvJ6Mb1 YbCZ4tMqkDrvL/mkaF0KH91/+kAKhU8bRw1lg/+rAJClTF5RH4D4KtAswuOpNgEdUhbGtGBS8vH vpoBZLuOi3TTwi/MClC6mCDkjq2JZFJ5cflaXKz4dQ4s23C5VHQ1y7R8IhJISUNi+nJ9e2YUWD9 VtgRGxVevw5pOm X-Google-Smtp-Source: AGHT+IF0cO2bZJJzmmac2WEqfSoEBurkr5wfl/ZrgizZ7Uzm3YdF6URNRiQ2/Ajv+UGSQbdAKBEJDQ== X-Received: by 2002:a05:6512:230c:b0:595:910c:8f03 with SMTP id 2adb3069b0e04-59a17d9f58emr15032013e87.36.1767600887813; Mon, 05 Jan 2026 00:14:47 -0800 (PST) Received: from DESKTOP-BKIPFGN ([45.43.86.16]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-59a18628284sm14367387e87.93.2026.01.05.00.14.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 00:14:47 -0800 (PST) From: Kery Qi To: gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, Kery Qi Subject: [PATCH] USB: gadget: max3420: validate endpoint index in set_clear_feature Date: Mon, 5 Jan 2026 16:14:02 +0800 Message-ID: <20260105081402.1287-2-qikeyu2017@gmail.com> X-Mailer: git-send-email 2.50.1.windows.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Assure that the host may not manipulate the index to point past the endpoint array. In max3420_set_clear_feature(), the driver derives the endpoint index from the wIndex field of the setup packet. However, there is no check to ensure this index is within the valid bounds of the udc->ep[] array. A malicious host could send a USB_REQ_SET_FEATURE or USB_REQ_CLEAR_FEATURE request with a large endpoint index, leading to an out-of-bounds memory access when accessing udc->ep[id]. This patch adds a validation check against MAX3420_MAX_EPS. If the endpoint index is invalid, we simply break the switch statement to invoke the existing error handling path. Signed-off-by: Kery Qi --- drivers/usb/gadget/udc/max3420_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/= max3420_udc.c index ac11ddf3fcbc..f4f549d88d6d 100644 --- a/drivers/usb/gadget/udc/max3420_udc.c +++ b/drivers/usb/gadget/udc/max3420_udc.c @@ -600,6 +600,8 @@ static void max3420_set_clear_feature(struct max3420_ud= c *udc) break; =20 id =3D udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (id >=3D MAX3420_MAX_EPS) + break; ep =3D &udc->ep[id]; =20 spin_lock_irqsave(&ep->lock, flags); --=20 2.34.1