Commit 0678d4d7 authored Jun 28, 2023 by Ma Ke Committed by sanglipeng Mar 07, 2024

usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc

stable inclusion
from stable-v5.10.197
commit 6d3a1dd10537023b135d542d33f855d698dfed9b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I96Q8P

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6d3a1dd10537023b135d542d33f855d698dfed9b



--------------------------------

[ Upstream commit ce9daa2e ]

We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.

Signed-off-by: Ma Ke <make_ruc2021@163.com>
Acked-by: Li Yang <leoyang.li@nxp.com>
Link: https://lore.kernel.org/r/20230628081511.186850-1-make_ruc2021@163.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent 8d5daf0d

drivers/usb/gadget/udc/fsl_qe_udc.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -1950,9 +1950,13 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value,
		} else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) {
		/* Get endpoint status */
		int pipe = index & USB_ENDPOINT_NUMBER_MASK;
		struct qe_ep *target_ep = &udc->eps[pipe];
		struct qe_ep *target_ep;
		u16 usep;

		if (pipe >= USB_MAX_ENDPOINTS)
		goto stall;
		target_ep = &udc->eps[pipe];

		/* stall if endpoint doesn't exist */
		if (!target_ep->ep.desc)
		goto stall;