[PATCH OLK-6.6] usb: gadget: aspeed_udc: validate endpoint index for ast udc

9 Oct 2024

From: Ma Ke make24@iscas.ac.cn
stable inclusion
from stable-v6.6.51
commit b2a50ffdd1a079869a62198a8d1441355c513c7c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NW
CVE: CVE-2024-46836
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit ee0d382feb44ec0f445e2ad63786cd7f3f6a8199 ]
We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.
Found by static analysis.
Signed-off-by: Ma Ke make24@iscas.ac.cn
Reviewed-by: Andrew Jeffery andrew@codeconstruct.com.au
Acked-by: Andrew Jeffery andrew@codeconstruct.com.au
Link: https://lore.kernel.org/r/20240625022306.2568122-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Gu Bowen gubowen5@huawei.com
---
 drivers/usb/gadget/udc/aspeed_udc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c
index fc2ead0fe621..4868286574a1 100644
--- a/drivers/usb/gadget/udc/aspeed_udc.c
+++ b/drivers/usb/gadget/udc/aspeed_udc.c
@@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc)
    	break;
    case USB_RECIP_ENDPOINT:
    	epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK;
+		if (epnum >= AST_UDC_NUM_ENDPOINTS)
+			goto stall;
    	status = udc->ep[epnum].stopped;
    	break;
    default:
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-6.6] usb: gadget: aspeed_udc: validate endpoint index for ast udc