Commit 4df36a66 authored Oct 09, 2024 by Ma Ke Committed by Gu Bowen Oct 09, 2024

usb: gadget: aspeed_udc: validate endpoint index for ast udc

stable inclusion
from stable-v6.6.51
commit b2a50ffdd1a079869a62198a8d1441355c513c7c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NW
CVE: CVE-2024-46836

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b2a50ffdd1a079869a62198a8d1441355c513c7c



--------------------------------

[ Upstream commit ee0d382feb44ec0f445e2ad63786cd7f3f6a8199 ]

We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.

Found by static analysis.

Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Acked-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Link: https://lore.kernel.org/r/20240625022306.2568122-1-make24@iscas.ac.cn


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent e826278e

drivers/usb/gadget/udc/aspeed_udc.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc)
		break;
		case USB_RECIP_ENDPOINT:
		epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK;
		if (epnum >= AST_UDC_NUM_ENDPOINTS)
		goto stall;
		status = udc->ep[epnum].stopped;
		break;
		default: