From: Bingquan Chen <patzilla007@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, security@kernel.org,
Bingquan Chen <patzilla007@gmail.com>
Subject: [PATCH] usb: gadget: configfs: fix 1-byte OOB read in ext_prop_data_show()
Date: Tue, 21 Apr 2026 22:10:10 +0800 [thread overview]
Message-ID: <20260421141010.5607-1-patzilla007@gmail.com> (raw)
In ext_prop_data_store(), for unicode property types, the data buffer
is allocated via kmemdup() with size 'len', but data_len is inflated
to len*2+2 to account for the UTF-16 encoding and a 2-byte null
terminator. The null terminator is not actually stored in the data
buffer.
When ext_prop_data_show() reads the data back, it computes the read
length as data_len >> 1 = len+1, then does memcpy(page, data, len+1),
reading 1 byte past the allocated buffer. This is a slab-out-of-bounds
read that leaks 1 byte of adjacent heap data to userspace via configfs.
KASAN report (5.10.252):
BUG: KASAN: slab-out-of-bounds in ext_prop_data_show+0x4a/0x60
Read of size 9 at addr ffff888005546008 by task poc/62
Allocated by task 62:
kmemdup+0x17/0x40
ext_prop_data_store+0x52/0x130
configfs_write_file+0x168/0x200
The buggy address belongs to the object at ffff888005546008
which belongs to the cache kmalloc-8 of size 8
Fix by allocating len+1 bytes and null-terminating the buffer, so the
extra byte read in show() returns a known-zero byte instead of
adjacent slab data.
Fixes: 7419485f197c ("usb: gadget: configfs: OS Extended Properties descriptors support")
Cc: stable@vger.kernel.org
Signed-off-by: Bingquan Chen <patzilla007@gmail.com>
---
drivers/usb/gadget/configfs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 183a25f65ac8..a1b2c3d4e5f6 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1352,8 +1352,11 @@ static ssize_t ext_prop_data_store(struct config_item *item,
if (page[len - 1] == '\n' || page[len - 1] == '\0')
--len;
- new_data = kmemdup(page, len, GFP_KERNEL);
+ new_data = kmalloc(len + 1, GFP_KERNEL);
if (!new_data)
return -ENOMEM;
+ memcpy(new_data, page, len);
+ new_data[len] = '\0';
if (desc->opts_mutex)
--
2.43.0
next reply other threads:[~2026-04-21 14:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 14:10 Bingquan Chen [this message]
2026-04-21 16:27 ` [PATCH] usb: gadget: configfs: fix 1-byte OOB read in ext_prop_data_show() Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421141010.5607-1-patzilla007@gmail.com \
--to=patzilla007@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.