Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp18864660rwd;
        Wed, 28 Jun 2023 01:32:54 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ6bgiQRJjSPfITbiaVWjaTkbepitGaxWi11lX++I98EOdwXCpVF2PP1k9+591mDXw/Zup+a
X-Received: by 2002:a05:6358:cd26:b0:134:d030:e5ce with SMTP id gv38-20020a056358cd2600b00134d030e5cemr3431947rwb.24.1687941174632;
        Wed, 28 Jun 2023 01:32:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687941174; cv=none;
        d=google.com; s=arc-20160816;
        b=uygSsHb8xrHOaPDR2oJfjQO4A8baTFjTifSko583DUmdPvYsQZObG992tDPo8YgsaF
         OA4ia8edcRxHuFh/62Kk2H2Wm5OE+os2JnB0+pGvWk0iegKfjtAQ+BiaYHs6VJPwYlxv
         ykf4q0emm+ntP5tNGNERCKaOhNHYi6r6DyG7EnHbZMQrKEgb7Qd2eprxLQGvPAj5647o
         yFP7h1qarXMdpGh0+T6UxyDmS0Kg/IutmZl9DqO34KEhXtxHVMAHLzKrpwlL/olTpanm
         yQaiqImmR+LS5kt4ic2PRM9cTstpAn2VBe6APBFEExN1agbPBOCkhl4jasT4dg6dvXdS
         yPWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=TZ63DhoeDCYyBIbyvSorhwvX2zStbpYvqashuoDCgeQ=;
        fh=HNpXxMUW55HWlsF6flg1/ZrVyVQTsVGLPcYZa2yAx8k=;
        b=J+/1NZEoooISEbCEvng+ROfzpLda9ofHP+uZNTmG/unFFFlj/prRJ0SeTAQl/oML2B
         kWiFsatkjiuXutlUf+Dgv29kh3LnJ+7ooPrXclWIeHJVrFa6k91m738CeM9cBzbQvr+S
         G+9wQxjs8PfYHqRsIsVTF2e61CVC+pyDMbWYWYMpPOroZe+odev540iH+HKe9JGmYEW3
         hzkJW6zJwbnMBUfGw5oJK8D8I27JOoKHK03q5vYp3h63+XvQ/wFjNJ5eX81tZ8nq9mcy
         x+xqMUBqLilAPfLWDWycHOSFxBvAoTM6r4P2RATVshrsEHOWeL4SAWGgSRqA07sI162u
         MRlA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=PCaFIRrN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id l63-20020a638842000000b0054fd0012d40si9184742pgd.316.2023.06.28.01.32.41;
        Wed, 28 Jun 2023 01:32:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=PCaFIRrN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234022AbjF1IVn (ORCPT <rfc822;ajhmls@gmail.com> + 99 others);
        Wed, 28 Jun 2023 04:21:43 -0400
Received: from m12.mail.163.com ([220.181.12.215]:38052 "EHLO m12.mail.163.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234326AbjF1IPs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Jun 2023 04:15:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
        s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=TZ63D
        hoeDCYyBIbyvSorhwvX2zStbpYvqashuoDCgeQ=; b=PCaFIRrNDL2QDhpv5cWAJ
        by/lH8bxQpMCrCbUpNXBwCr66VEGPn4PoHvA3G+XOaQgpfjFDNIbzieBYPibZpl8
        lMA+28ZcPCOvGFe7jhar7j3n+5KuMn5hHimQH3AkHCzIIUFtprEbKXprSphB5GR3
        eMbYipNr3P8JlL2jNnUhqk=
Received: from icess-ProLiant-DL380-Gen10.. (unknown [183.174.60.14])
        by zwqz-smtp-mta-g3-2 (Coremail) with SMTP id _____wCntAEV7JtkwE1oBA--.64150S4;
        Wed, 28 Jun 2023 16:15:27 +0800 (CST)
From:   Ma Ke <make_ruc2021@163.com>
To:     leoyang.li@nxp.com
Cc:     gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
        linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
        Ma Ke <make_ruc2021@163.com>
Subject: [PATCH] usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
Date:   Wed, 28 Jun 2023 16:15:11 +0800
Message-Id: <20230628081511.186850-1-make_ruc2021@163.com>
X-Mailer: git-send-email 2.37.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: _____wCntAEV7JtkwE1oBA--.64150S4
X-Coremail-Antispam: 1Uf129KBjvdXoWrur1rtFyrCw43Kw4DGryUKFg_yoWfJrb_u3
        WUWrs7Wr17Ww129r17Za1Svr9293WkZ3Wkua4vqr9rAa45G3WfJryDXFs5Ca17uF43WFn5
        A3yDJ3sIkw1SqjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU822MUUUUUU==
X-Originating-IP: [183.174.60.14]
X-CM-SenderInfo: 5pdnvshuxfjiisr6il2tof0z/xtbBFR+cC2B9nNSTkQAAsK
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.

Signed-off-by: Ma Ke <make_ruc2021@163.com>
---
 drivers/usb/gadget/udc/fsl_qe_udc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c
index 3b1cc8fa30c8..f4e5cbd193b7 100644
--- a/drivers/usb/gadget/udc/fsl_qe_udc.c
+++ b/drivers/usb/gadget/udc/fsl_qe_udc.c
@@ -1959,6 +1959,8 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value,
 	} else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) {
 		/* Get endpoint status */
 		int pipe = index & USB_ENDPOINT_NUMBER_MASK;
+		if (pipe >= USB_MAX_ENDPOINTS)
+			goto stall;
 		struct qe_ep *target_ep = &udc->eps[pipe];
 		u16 usep;
 
-- 
2.37.2