Input: ims-pcu - validate control endpoint type

The driver currently assumes that the first endpoint of the control
interface is an interrupt IN endpoint without verifying it. A malicious
device could provide a different endpoint type, which would then be
passed to usb_fill_int_urb(), potentially leading to kernel warnings
or undefined behavior.

Verify that the control endpoint is an interrupt IN endpoint.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Reported-by: Sashiko bot <sashiko-bot@kernel.org>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 39bc02ef3e5380a1826707fd19d62e0e80bb50f2..2b49d1a5473fc2093457a7e432312417d15a5e15 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1710,6 +1710,12 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
                return -ENODEV;
 
        pcu->ep_ctrl = &alt->endpoint[0].desc;
+       if (!usb_endpoint_is_int_in(pcu->ep_ctrl)) {
+               dev_err(pcu->dev,
+                       "Control endpoint is not INTERRUPT IN\n");
+               return -EINVAL;
+       }
+
        pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);
 
        pcu->data_intf = usb_ifnum_to_if(pcu->udev,