From 354667bb6d3f5bb5027975b138087b2dba8bcc06 Mon Sep 17 00:00:00 2001 From: Alexander Boettcher Date: Tue, 30 Aug 2022 11:07:47 +0200 Subject: [PATCH] lx_emul: validate USB endpoint and settings param to avoid pagefaults and general protection faults on access to unpaged memory regions. Fixes #4596 --- repos/dde_linux/src/lib/lx_emul/usb.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/repos/dde_linux/src/lib/lx_emul/usb.c b/repos/dde_linux/src/lib/lx_emul/usb.c index 17b6728bf6..8f2c777a33 100644 --- a/repos/dde_linux/src/lib/lx_emul/usb.c +++ b/repos/dde_linux/src/lib/lx_emul/usb.c @@ -129,7 +129,7 @@ static int interface_descriptor(genode_usb_bus_num_t bus, { struct usb_interface * iface = interface(bus, dev, index); - if (!iface) + if (!iface || setting >= iface->num_altsetting) return -1; memcpy(buf, &iface->altsetting[setting].desc, @@ -148,7 +148,7 @@ static int interface_extra(genode_usb_bus_num_t bus, struct usb_interface * iface = interface(bus, dev, index); unsigned long len; - if (!iface) + if (!iface || setting >= iface->num_altsetting) return -1; len = min((unsigned long)iface->altsetting[setting].extralen, size); @@ -173,9 +173,13 @@ static int endpoint_descriptor(genode_usb_bus_num_t bus, if (!iface) return -2; + if (setting >= iface->num_altsetting || + endp >= iface->altsetting[setting].desc.bNumEndpoints) + return -3; + ep = &iface->altsetting[setting].endpoint[endp]; if (!ep) - return -3; + return -4; memcpy(buf, &ep->desc, min(sizeof(struct usb_endpoint_descriptor), size));