Re: [PATCH v2 1/2] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access

From: Greg Kroah-Hartman
Date: Mon Jun 30 2025 - 00:56:22 EST

Next message: Li Ming: "Re: [PATCH 2/2] cxl/core: Add a helper function to check dpa availability"
Previous message: Chen-Yu Tsai: "Re: [PATCH 2/6] thermal/drivers/sun8i: replace devm_reset_control_get to shared"
In reply to: Seungjin Bae: "[PATCH v2 1/2] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access"
Next in thread: Seungjin Bae: "[PATCH v2 2/2] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jun 29, 2025 at 05:49:45PM -0400, Seungjin Bae wrote:
> In the max3420_set_clear_feature() function, the endpoint index `id` can have a value from 0 to 15.
> However, the udc->ep array is initialized with a maximum of 4 endpoints in max3420_eps_init().
> If host sends a request with a wIndex greater than 3, the access to `udc->ep[id]` will go out-of-bounds,
> leading to memory corruption or a potential kernel crash.
> This bug was found by code inspection and has not been tested on hardware.

Please wrap your lines at 72 columns.

Also, you sent 2 patches, with identical subject lines, but they did
different things. That's not ok as you know.

And I think you really need to test this on hardware. How could that
request ever have a windex set to greater than 3? Is that a hardware
value or a user-controlled value?

thanks,

greg k-h

Next message: Li Ming: "Re: [PATCH 2/2] cxl/core: Add a helper function to check dpa availability"
Previous message: Chen-Yu Tsai: "Re: [PATCH 2/6] thermal/drivers/sun8i: replace devm_reset_control_get to shared"
In reply to: Seungjin Bae: "[PATCH v2 1/2] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access"
Next in thread: Seungjin Bae: "[PATCH v2 2/2] usb: gadget: max3420_udc: Fix out-of-bounds endpoint index access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]