[PATCH 06/11] Input: ims-pcu - validate control endpoint type

Next message: Dmitry Torokhov: "[PATCH 07/11] Input: ims-pcu - fix logic error in packet reset"
Previous message: Dmitry Torokhov: "[PATCH 11/11] Input: ims-pcu - fix potential infinite loop in CDC union descriptor parsing"
In reply to: Dmitry Torokhov: "[PATCH 11/11] Input: ims-pcu - fix potential infinite loop in CDC union descriptor parsing"
Next in thread: Dmitry Torokhov: "[PATCH 07/11] Input: ims-pcu - fix logic error in packet reset"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Torokhov

Date: Sat May 23 2026 - 01:10:42 EST

The driver currently assumes that the first endpoint of the control
interface is an interrupt IN endpoint without verifying it. A malicious
device could provide a different endpoint type, which would then be
passed to usb_fill_int_urb(), potentially leading to kernel warnings
or undefined behavior.

Verify that the control endpoint is an interrupt IN endpoint.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Sashiko bot <sashiko-bot@xxxxxxxxxx>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@xxxxxxxxx>
---
drivers/input/misc/ims-pcu.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 7fdff9dd1b5f..0e7a783526e6 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1703,6 +1703,12 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
return -ENODEV;

pcu->ep_ctrl = &alt->endpoint[0].desc;
+ if (!usb_endpoint_is_int_in(pcu->ep_ctrl)) {
+ dev_err(pcu->dev,
+ "Control endpoint is not INTERRUPT IN\n");
+ return -EINVAL;
+ }
+
pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);

pcu->data_intf = usb_ifnum_to_if(pcu->udev,
--
2.54.0.746.g67dd491aae-goog