From: Greg KH <gregkh@linuxfoundation.org>
To: Adrian Korwel <adriank20047@gmail.com>
Cc: linux-usb@vger.kernel.org, johan@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr()
Date: Mon, 25 May 2026 07:57:00 +0200 [thread overview]
Message-ID: <2026052525-devotee-reclaim-7673@gregkh> (raw)
In-Reply-To: <CADgB2mF95N09=gOvBZ+4ePSQ-0wCynx-rbu=aiyQecT=iDdyRw@mail.gmail.com>
On Sun, May 24, 2026 at 09:20:51PM -0500, Adrian Korwel wrote:
> Two heap overflows exist in this driver:
>
> 1. get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
> device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
> is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
>
> The Size field comes from the device and is only validated to fit
> within TI_MAX_I2C_SIZE (16384 bytes), not against the destination
> buffer size. A malicious USB device can therefore set Size to any
> value up to 16383, causing a heap overflow of up to 16373 bytes
> when plugged into a host running this driver.
>
> valid_csum() is called after read_rom() and also iterates
> buffer[0..Size-1], compounding the out-of-bounds access.
>
> Fix by rejecting descriptors larger than the destination struct
> before calling read_rom().
>
> 2. build_i2c_fw_hdr() allocates a fixed-size buffer of
> (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
> copies le16_to_cpu(img_header->Length) bytes into it without
> validating that Length fits within the available space after the
> firmware record header. img_header->Length is a __le16 from the
> firmware file and can be up to 65535. check_fw_sanity() validates
> the total firmware size but not img_header->Length specifically.
Should be 2 patches, right?
>
> Fix by rejecting images where img_header->Length exceeds the
> available destination space.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
What tool found and fixed these issues?
> ---
> drivers/usb/serial/io_ti.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
> index cb55370e036f..afe29fdf9536 100644
> --- a/drivers/usb/serial/io_ti.c
> +++ b/drivers/usb/serial/io_ti.c
> @@ -773,6 +773,12 @@ static int get_manuf_info(struct edgeport_serial
> *serial, u8 *buffer)
> }
>
> /* Read the descriptor data */
> + if (le16_to_cpu(rom_desc->Size) > sizeof(struct
> edge_ti_manuf_descriptor)) {
Your patch is corrupted and can not be applied :(
thanks,
greg k-h
next prev parent reply other threads:[~2026-05-25 5:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 2:20 [PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr() Adrian Korwel
2026-05-25 5:57 ` Greg KH [this message]
2026-05-25 14:41 ` Adrian Korwel
2026-05-25 14:58 ` [PATCH 1/2] USB: serial: io_ti: fix heap overflow in get_manuf_info() Adrian Korwel
2026-05-25 14:58 ` [PATCH 2/2] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Adrian Korwel
2026-06-02 10:17 ` [PATCH 1/2] USB: serial: io_ti: fix heap overflow in get_manuf_info() Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026052525-devotee-reclaim-7673@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=adriank20047@gmail.com \
--cc=johan@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.