[PATCH] Fix out of bound access of ep array.

[PATCH] Fix out of bound access of ep array.

[Alison Huffman]

When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
can occur. This is caused by the wIndex field of the usb control packet
being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).

Signed-off-by: Alison Huffman <alisn@google.com>
---

 drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c b/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c
index f17009a29e..1c34b75351 100644
--- a/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c
+++ b/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c
@@ -890,7 +890,7 @@ static int dwc2_ep0_write(struct dwc2_udc *dev)
 static int dwc2_udc_get_status(struct dwc2_udc *dev,
 		struct usb_ctrlrequest *crq)
 {
-	u8 ep_num = crq->wIndex & 0x7F;
+	u8 ep_num = crq->wIndex & 0x3;
 	u16 g_status = 0;
 	u32 ep_ctrl;
 
@@ -1418,7 +1418,7 @@ static void dwc2_ep0_setup(struct dwc2_udc *dev)
 			break;
 
 		case USB_REQ_CLEAR_FEATURE:
-			ep_num = usb_ctrl->wIndex & 0x7f;
+			ep_num = usb_ctrl->wIndex & 0x3;
 
 			if (!dwc2_udc_clear_feature(&dev->ep[ep_num].ep))
 				return;
@@ -1426,7 +1426,7 @@ static void dwc2_ep0_setup(struct dwc2_udc *dev)
 			break;
 
 		case USB_REQ_SET_FEATURE:
-			ep_num = usb_ctrl->wIndex & 0x7f;
+			ep_num = usb_ctrl->wIndex & 0x3;
 
 			if (!dwc2_udc_set_feature(&dev->ep[ep_num].ep))
 				return;
-- 
2.37.3.968.ga6b4b080e4-goog

Re: [PATCH] Fix out of bound access of ep array.

[Marek Vasut]

On 9/22/22 06:01, Alison Huffman wrote:
> When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
> USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
> can occur. This is caused by the wIndex field of the usb control packet
> being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).

Applied to usb/master, thanks !