Similar to max3420_set_clear_feature() function, the max3420_getstatus() function also fails to validate the endpoint index from wIndex before using it to access the udc->ep array.
The udc->ep array is initialized to handle 4 endpoints, but the index derived from the `wIndex & USB_ENDPOINT_NUMBER_MASK` can be up to 15. This can lead to an out-of-bounds access, causing memory corruption or a potential kernel crash. This bug was found by code inspection and has not been tested on hardware.
Fixes: 48ba02b2e2b1a ("usb: gadget: add udc driver for max3420") Cc: stable@vger.kernel.org Signed-off-by: Seungjin Bae eeodqql09@gmail.com --- v1 -> v2: Added a second patch to fix an out-of-bounds bug in the max3420_getstatus() function.
drivers/usb/gadget/udc/max3420_udc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c index e4ecc7f7f3be..ff6c7f9d71d8 100644 --- a/drivers/usb/gadget/udc/max3420_udc.c +++ b/drivers/usb/gadget/udc/max3420_udc.c @@ -536,6 +536,7 @@ static void max3420_getstatus(struct max3420_udc *udc) { struct max3420_ep *ep; u16 status = 0; + int id;
switch (udc->setup.bRequestType & USB_RECIP_MASK) { case USB_RECIP_DEVICE: @@ -548,7 +549,10 @@ static void max3420_getstatus(struct max3420_udc *udc) goto stall; break; case USB_RECIP_ENDPOINT: - ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK]; + id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (id >= MAX3420_MAX_EPS) + goto stall; + ep = &udc->ep[id]; if (udc->setup.wIndex & USB_DIR_IN) { if (!ep->ep_usb.caps.dir_in) goto stall;