This is a note to let you know that I've just added the patch titled
usb: gadget: aspeed_udc: validate endpoint index for ast udc
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-gadget-aspeed_udc-validate-endpoint-index-for-as.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 64e49138203e7e0610d964bfd9ed087f674330b6
Author: Ma Ke <make24@xxxxxxxxxxx>
Date: Tue Jun 25 10:23:06 2024 +0800
usb: gadget: aspeed_udc: validate endpoint index for ast udc
[ Upstream commit ee0d382feb44ec0f445e2ad63786cd7f3f6a8199 ]
We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.
Found by static analysis.
Signed-off-by: Ma Ke <make24@xxxxxxxxxxx>
Reviewed-by: Andrew Jeffery <andrew@xxxxxxxxxxxxxxxxxxxx>
Acked-by: Andrew Jeffery <andrew@xxxxxxxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20240625022306.2568122-1-make24@xxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c
index fc2ead0fe621..4868286574a1 100644
--- a/drivers/usb/gadget/udc/aspeed_udc.c
+++ b/drivers/usb/gadget/udc/aspeed_udc.c
@@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc)
break;
case USB_RECIP_ENDPOINT:
epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK;
+ if (epnum >= AST_UDC_NUM_ENDPOINTS)
+ goto stall;
status = udc->ep[epnum].stopped;
break;
default:
