1. Patchew
  2. linux
  3. View series

[PATCH net] net: usb: pegasus: validate USB endpoints

Greg Kroah-Hartman posted 1 patch 1 month, 3 weeks ago 
drivers/net/usb/pegasus.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
[PATCH net] net: usb: pegasus: validate USB endpoints
Posted by Greg Kroah-Hartman 1 month, 3 weeks ago 
The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it.  If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.

Cc: Petko Manolov <petkan@nucleusys.com>
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/pegasus.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index 4f539b5d509a..94c17fed0bd4 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -801,8 +801,19 @@ static void unlink_all_urbs(pegasus_t *pegasus)
 
 static int alloc_urbs(pegasus_t *pegasus)
 {
+	static const u8 bulk_ep_addr[] = {
+		1 | USB_DIR_IN,
+		2 | USB_DIR_OUT,
+		0};
+	static const u8 int_ep_addr[] = {
+		3 | USB_DIR_IN,
+		0};
 	int res = -ENOMEM;
 
+	if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) ||
+	    !usb_check_int_endpoints(pegasus->intf, int_ep_addr))
+		return -ENODEV;
+
 	pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL);
 	if (!pegasus->rx_urb) {
 		return res;
@@ -1143,6 +1154,7 @@ static int pegasus_probe(struct usb_interface *intf,
 
 	pegasus = netdev_priv(net);
 	pegasus->dev_index = dev_index;
+	pegasus->intf = intf;
 
 	res = alloc_urbs(pegasus);
 	if (res < 0) {
@@ -1154,7 +1166,6 @@ static int pegasus_probe(struct usb_interface *intf,
 
 	INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier);
 
-	pegasus->intf = intf;
 	pegasus->usb = dev;
 	pegasus->net = net;
 
-- 
2.53.0
Re: [PATCH net] net: usb: pegasus: validate USB endpoints
Posted by Alan Stern 1 month, 3 weeks ago 
On Mon, Feb 23, 2026 at 01:58:48PM +0100, Greg Kroah-Hartman wrote:
> The pegasus driver should validate that the device it is probing has the
> proper number and types of USB endpoints it is expecting before it binds
> to it.  If a malicious device were to not have the same urbs the driver
> will crash later on when it blindly accesses these endpoints.
> 
> Cc: Petko Manolov <petkan@nucleusys.com>
> Cc: stable <stable@kernel.org>
> Assisted-by: gkh_clanker_2000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---

This does much the same thing as

https://lore.kernel.org/linux-usb/20260222050633.410165-1-n7l8m4@u.northwestern.edu/T/#u

and that patch also removes some magic numbers.

BTW, what is gkh_clanker_2000?

Alan Stern

>  drivers/net/usb/pegasus.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
> index 4f539b5d509a..94c17fed0bd4 100644
> --- a/drivers/net/usb/pegasus.c
> +++ b/drivers/net/usb/pegasus.c
> @@ -801,8 +801,19 @@ static void unlink_all_urbs(pegasus_t *pegasus)
>  
>  static int alloc_urbs(pegasus_t *pegasus)
>  {
> +	static const u8 bulk_ep_addr[] = {
> +		1 | USB_DIR_IN,
> +		2 | USB_DIR_OUT,
> +		0};
> +	static const u8 int_ep_addr[] = {
> +		3 | USB_DIR_IN,
> +		0};
>  	int res = -ENOMEM;
>  
> +	if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) ||
> +	    !usb_check_int_endpoints(pegasus->intf, int_ep_addr))
> +		return -ENODEV;
> +
>  	pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL);
>  	if (!pegasus->rx_urb) {
>  		return res;
> @@ -1143,6 +1154,7 @@ static int pegasus_probe(struct usb_interface *intf,
>  
>  	pegasus = netdev_priv(net);
>  	pegasus->dev_index = dev_index;
> +	pegasus->intf = intf;
>  
>  	res = alloc_urbs(pegasus);
>  	if (res < 0) {
> @@ -1154,7 +1166,6 @@ static int pegasus_probe(struct usb_interface *intf,
>  
>  	INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier);
>  
> -	pegasus->intf = intf;
>  	pegasus->usb = dev;
>  	pegasus->net = net;
>  
> -- 
> 2.53.0
> 
>
Re: [PATCH net] net: usb: pegasus: validate USB endpoints
Posted by Greg Kroah-Hartman 1 month, 3 weeks ago 
On Mon, Feb 23, 2026 at 09:39:52AM -0500, Alan Stern wrote:
> On Mon, Feb 23, 2026 at 01:58:48PM +0100, Greg Kroah-Hartman wrote:
> > The pegasus driver should validate that the device it is probing has the
> > proper number and types of USB endpoints it is expecting before it binds
> > to it.  If a malicious device were to not have the same urbs the driver
> > will crash later on when it blindly accesses these endpoints.
> > 
> > Cc: Petko Manolov <petkan@nucleusys.com>
> > Cc: stable <stable@kernel.org>
> > Assisted-by: gkh_clanker_2000
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> 
> This does much the same thing as
> 
> https://lore.kernel.org/linux-usb/20260222050633.410165-1-n7l8m4@u.northwestern.edu/T/#u
> 
> and that patch also removes some magic numbers.

Yes it does, that's a much nicer patch than mine.

> BTW, what is gkh_clanker_2000?

A hacked up system of tools/scripts I'm running here to find stuff like
"take this previously applied commit that fixed a problem, does the same
pattern need to be also done anywhere else in the tree"?  It finds a lot
of stuff and then I sift through it and see if anything is actually real
or not and if so, make up a patch for it.  It was my "merge window is
giving me a respite from reviewing patches" hobby project this past
week.

Now if I was really good, I could turn the output into a coccinelle
script, as this is just simple patterns.

Also it seems that we aren't running the coccinelle scripts anymore, as
many things it has found are already covered by that, I wonder why that
is...

thanks,

greg k-h
Re: [PATCH net] net: usb: pegasus: validate USB endpoints
Posted by Alan Stern 1 month, 3 weeks ago 
On Mon, Feb 23, 2026 at 03:54:30PM +0100, Greg Kroah-Hartman wrote:
> On Mon, Feb 23, 2026 at 09:39:52AM -0500, Alan Stern wrote:
> > BTW, what is gkh_clanker_2000?
> 
> A hacked up system of tools/scripts I'm running here to find stuff like
> "take this previously applied commit that fixed a problem, does the same
> pattern need to be also done anywhere else in the tree"?  It finds a lot
> of stuff and then I sift through it and see if anything is actually real
> or not and if so, make up a patch for it.  It was my "merge window is
> giving me a respite from reviewing patches" hobby project this past
> week.
> 
> Now if I was really good, I could turn the output into a coccinelle
> script, as this is just simple patterns.

It's a little surprising that nobody has asked an AI to do this sort of 
thing yet (as far as I know).  It's hard to say whether the results 
would be better than you get with your hacked-up system of 
tools/scripts, but it might be.

Alan Stern

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.