| Message ID | 20220407150353.368455-1-cascardo@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Bionic/Focal/Impish] USB: gadget: validate endpoint index for xilinx udc | expand |
Acked-by: Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz@canonical.com> On Thu, Apr 7, 2022 at 5:04 PM Thadeu Lima de Souza Cascardo <cascardo@canonical.com> wrote: > > From: Szymon Heidrich <szymon.heidrich@gmail.com> > > Assure that host may not manipulate the index to point > past endpoint array. > > Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> > Cc: stable <stable@kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 7f14c7227f342d9932f9b918893c8814f86d2a0d) > CVE-2022-27223 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > drivers/usb/gadget/udc/udc-xilinx.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c > index 72f2ea062d55..283e86ed1433 100644 > --- a/drivers/usb/gadget/udc/udc-xilinx.c > +++ b/drivers/usb/gadget/udc/udc-xilinx.c > @@ -1612,6 +1612,8 @@ static void xudc_getstatus(struct xusb_udc *udc) > break; > case USB_RECIP_ENDPOINT: > epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (epnum >= XUSB_MAX_ENDPOINTS) > + goto stall; > target_ep = &udc->ep[epnum]; > epcfgreg = udc->read_fn(udc->addr + target_ep->offset); > halt = epcfgreg & XUSB_EP_CFG_STALL_MASK; > @@ -1679,6 +1681,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc) > case USB_RECIP_ENDPOINT: > if (!udc->setup.wValue) { > endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (endpoint >= XUSB_MAX_ENDPOINTS) { > + xudc_ep0_stall(udc); > + return; > + } > target_ep = &udc->ep[endpoint]; > outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK; > outinbit = outinbit >> 7; > -- > 2.32.0
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 4/7/22 09:03, Thadeu Lima de Souza Cascardo wrote: > From: Szymon Heidrich <szymon.heidrich@gmail.com> > > Assure that host may not manipulate the index to point > past endpoint array. > > Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> > Cc: stable <stable@kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 7f14c7227f342d9932f9b918893c8814f86d2a0d) > CVE-2022-27223 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > drivers/usb/gadget/udc/udc-xilinx.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c > index 72f2ea062d55..283e86ed1433 100644 > --- a/drivers/usb/gadget/udc/udc-xilinx.c > +++ b/drivers/usb/gadget/udc/udc-xilinx.c > @@ -1612,6 +1612,8 @@ static void xudc_getstatus(struct xusb_udc *udc) > break; > case USB_RECIP_ENDPOINT: > epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (epnum >= XUSB_MAX_ENDPOINTS) > + goto stall; > target_ep = &udc->ep[epnum]; > epcfgreg = udc->read_fn(udc->addr + target_ep->offset); > halt = epcfgreg & XUSB_EP_CFG_STALL_MASK; > @@ -1679,6 +1681,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc) > case USB_RECIP_ENDPOINT: > if (!udc->setup.wValue) { > endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (endpoint >= XUSB_MAX_ENDPOINTS) { > + xudc_ep0_stall(udc); > + return; > + } > target_ep = &udc->ep[endpoint]; > outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK; > outinbit = outinbit >> 7;
On 07.04.22 17:03, Thadeu Lima de Souza Cascardo wrote: > From: Szymon Heidrich <szymon.heidrich@gmail.com> > > Assure that host may not manipulate the index to point > past endpoint array. > > Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> > Cc: stable <stable@kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 7f14c7227f342d9932f9b918893c8814f86d2a0d) > CVE-2022-27223 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- Applied to impish,focal,bionic:linux/master-next. Thanks. -Stefan Note: Not sure what you did but I could not export and apply this from Thunderbird. > drivers/usb/gadget/udc/udc-xilinx.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c > index 72f2ea062d55..283e86ed1433 100644 > --- a/drivers/usb/gadget/udc/udc-xilinx.c > +++ b/drivers/usb/gadget/udc/udc-xilinx.c > @@ -1612,6 +1612,8 @@ static void xudc_getstatus(struct xusb_udc *udc) > break; > case USB_RECIP_ENDPOINT: > epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (epnum >= XUSB_MAX_ENDPOINTS) > + goto stall; > target_ep = &udc->ep[epnum]; > epcfgreg = udc->read_fn(udc->addr + target_ep->offset); > halt = epcfgreg & XUSB_EP_CFG_STALL_MASK; > @@ -1679,6 +1681,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc) > case USB_RECIP_ENDPOINT: > if (!udc->setup.wValue) { > endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; > + if (endpoint >= XUSB_MAX_ENDPOINTS) { > + xudc_ep0_stall(udc); > + return; > + } > target_ep = &udc->ep[endpoint]; > outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK; > outinbit = outinbit >> 7;
diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c index 72f2ea062d55..283e86ed1433 100644 --- a/drivers/usb/gadget/udc/udc-xilinx.c +++ b/drivers/usb/gadget/udc/udc-xilinx.c @@ -1612,6 +1612,8 @@ static void xudc_getstatus(struct xusb_udc *udc) break; case USB_RECIP_ENDPOINT: epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (epnum >= XUSB_MAX_ENDPOINTS) + goto stall; target_ep = &udc->ep[epnum]; epcfgreg = udc->read_fn(udc->addr + target_ep->offset); halt = epcfgreg & XUSB_EP_CFG_STALL_MASK; @@ -1679,6 +1681,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc) case USB_RECIP_ENDPOINT: if (!udc->setup.wValue) { endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (endpoint >= XUSB_MAX_ENDPOINTS) { + xudc_ep0_stall(udc); + return; + } target_ep = &udc->ep[endpoint]; outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK; outinbit = outinbit >> 7;