tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint
number from the host-supplied wIndex without any sort of validation.
Fix this up by validating the number of endpoints actually match up with
the number the device has before attempting to dereference a pointer
based on this math.

This is just like what was done in commit ee0d382feb44 ("usb: gadget:
aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.

Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Link: https://patch.msgid.link/2026040647-sincerity-untidy-b104@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Greg Kroah-Hartman f880aac8 274875f7

+6 -1
+6 -1
drivers/usb/gadget/udc/renesas_usb3.c
··· 1669 1669 break; 1670 1670 case USB_RECIP_ENDPOINT: 1671 1671 num = le16_to_cpu(ctrl->wIndex) & USB_ENDPOINT_NUMBER_MASK; 1672 + if (num >= usb3->num_usb3_eps) { 1673 + stall = true; 1674 + break; 1675 + } 1672 1676 usb3_ep = usb3_get_ep(usb3, num); 1673 1677 if (usb3_ep->halt) 1674 1678 status |= 1 << USB_ENDPOINT_HALT; ··· 1785 1781 struct renesas_usb3_ep *usb3_ep; 1786 1782 struct renesas_usb3_request *usb3_req; 1787 1783 1788 - if (le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) 1784 + if ((le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) || 1785 + (num >= usb3->num_usb3_eps)) 1789 1786 return true; /* stall */ 1790 1787 1791 1788 usb3_ep = usb3_get_ep(usb3, num);