Re: [PATCH v2] usb: host: max3421: Fix shift-out-of-bounds in max3421_hub_control()

Next message: Matthew Wilcox: "Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files"
Previous message: Sakurai Shun: "[PATCH v2] docs: fix typos in design.rst"
In reply to: pip-izony: "[PATCH v2] usb: host: max3421: Fix shift-out-of-bounds in max3421_hub_control()"
Next in thread: Seungjin Bae: "Re: [PATCH v2] usb: host: max3421: Fix shift-out-of-bounds in max3421_hub_control()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alan Stern

Date: Sat May 16 2026 - 21:15:56 EST

On Sat, May 16, 2026 at 08:07:31PM -0400, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@xxxxxxxxx>
>
> The `max3421_hub_control()` function handles USB hub class requests
> to the virtual root hub. In the `default` branches of both the
> `ClearPortFeature` and `SetPortFeature` switch statements, it modifies
> `max3421_hcd->port_status` by left shifting 1 by the request's `value`
> parameter. However, it does not validate whether this shift will exceed
> the width of `port_status`.
>
> So if a malicious userspace task with access to the root hub via
> /dev/bus/usb/.../001 issues a USBDEVFS_CONTROL ioctl with `wValue`
> greater than or equal to 32, the left shift operation invokes
> shift-out-of-bounds undefined behavior. This results in arbitrary
> bit corruption of `port_status`, including the normally-immutable
> change bits, which can bypass internal state checks and confuse the
> hub status.
>
> Fix this by rejecting requests whose `value` exceeds the shift width
> before performing the shift.

Another problem is that the root hub is supposed to reject requests to
clear or set a feature for a non-existent port. Just as in the
GetPortStatus case, the ClearPortFeature and SetPortFeature cases should
check for index != 1.

Alan Stern