[PATCH] USB: gadget: validate endpoint index for max3420 udc

Next message: Waiman Long: "Re: [PATCH] irqchip/gic-v3-its: Don't acquire rt_spin_lock in allocate_vpe_l1_table()"
Previous message: Pankaj Patil: "[PATCH v5 0/4] arm64: dts: qcom: Introduce Glymur SoC dtsi and Glymur CRD dts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kery Qi

Date: Wed Jan 21 2026 - 15:50:38 EST

The max3420_getstatus() and max3420_set_clear_feature() functions use
the endpoint index from USB setup packet's wIndex field to access the
endpoint array. The index is masked with USB_ENDPOINT_NUMBER_MASK (0x0f),
which allows values 0-15, but the endpoint array (udc->ep) only has
MAX3420_MAX_EPS (4) elements.

A malicious USB host can send a specially crafted control request with
an invalid endpoint index (>= 4) to trigger an out-of-bounds array access,
potentially leading to information disclosure or kernel memory corruption.

Add validation to ensure the endpoint index is within bounds before
accessing the endpoint array.

Fixes: 48ba02b2e2b1a ("usb: gadget: add udc driver for max3420")
Signed-off-by: Kery Qi <qikeyu2017@xxxxxxxxx>
---
drivers/usb/gadget/udc/max3420_udc.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c
index 7349ea774adf..9d183a986380 100644
--- a/drivers/usb/gadget/udc/max3420_udc.c
+++ b/drivers/usb/gadget/udc/max3420_udc.c
@@ -548,6 +548,9 @@ static void max3420_getstatus(struct max3420_udc *udc)
goto stall;
break;
case USB_RECIP_ENDPOINT:
+ if ((udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK)
+ >= MAX3420_MAX_EPS)
+ goto stall;
ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK];
if (udc->setup.wIndex & USB_DIR_IN) {
if (!ep->ep_usb.caps.dir_in)
@@ -596,6 +599,8 @@ static void max3420_set_clear_feature(struct max3420_udc *udc)
break;

id = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+ if (id >= MAX3420_MAX_EPS)
+ break;
ep = &udc->ep[id];

spin_lock_irqsave(&ep->lock, flags);
--
2.34.1