Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()

Next message: Martin Blumenstingl: "Re: [PATCH v5 6/8] arm64: dts: amlogic: A5: Add scmi-clk node"
Previous message: kernel test robot: "[tip:x86/urgent] BUILD SUCCESS 9efb74f84ba82a9de81fc921baf3c5e2decf8256"
In reply to: Greg Kroah-Hartman: "Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()"
Next in thread: Mathias Nyman: "Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alan Stern

Date: Sat Jan 10 2026 - 17:08:21 EST

On Sat, Jan 10, 2026 at 01:34:21PM -0500, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@xxxxxxxxx>
>
> The `xhci_urb_enqueue()` validates Bulk OUT transfers by checking if the
> buffer length is a multiple of the packet size. However, it doesn't check
> whether the endpoint's `wMaxPacketSize` is zero before using it as a
> divisor in a modulo operation.
>
> If a malicious USB device sends a descriptor with `wMaxPacketSize` set to
> 0, it triggers a divide-by-zero exception (kernel panic). This allows an
> attacker with physical access to crash the system, leading to a Denial of
> Service.

How did you become aware of this problem?

> Fix this by adding a check to ensure `wMaxPacketSize` is greater than 0
> before performing the modulo operation.

Not necessary. This can never happen, because transfers to or from
endpoints with wMaxPacketSize set to 0 are rejected in usb_submit_urb()
with error code -EMSGSIZE.

Alan Stern