Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()

Next message: AlanSong-oc: "Re: [PATCH v2 0/2] lib/crypto: x86/sha: Add PHE Extensions support"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 1/4] dt-bindings: mailbox: sprd: add compatible for UMS9230"
In reply to: Alan Stern: "Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mathias Nyman

Date: Mon Jan 12 2026 - 04:30:25 EST

On 1/11/26 00:08, Alan Stern wrote:

On Sat, Jan 10, 2026 at 01:34:21PM -0500, pip-izony wrote:

From: Seungjin Bae <eeodqql09@xxxxxxxxx>

The `xhci_urb_enqueue()` validates Bulk OUT transfers by checking if the
buffer length is a multiple of the packet size. However, it doesn't check
whether the endpoint's `wMaxPacketSize` is zero before using it as a
divisor in a modulo operation.

If a malicious USB device sends a descriptor with `wMaxPacketSize` set to
0, it triggers a divide-by-zero exception (kernel panic). This allows an
attacker with physical access to crash the system, leading to a Denial of
Service.

How did you become aware of this problem?

Fix this by adding a check to ensure `wMaxPacketSize` is greater than 0
before performing the modulo operation.

Not necessary. This can never happen, because transfers to or from
endpoints with wMaxPacketSize set to 0 are rejected in usb_submit_urb()
with error code -EMSGSIZE.

Only special embedded high-speed eUSB double isoch bandwidth devices can have
isoch endpoints with wMaxPacketSize set to zero.

This divide by zero case is only an issue for Bulk OUT endpoints, which as Alan
said, will be rejected by usb_submit_urb()

Thanks
Mathias