From: Vincent Mailhol <mailhol@kernel.org>
To: Berkant Koc <me@berkoc.com>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Stephane Grosjean <stephane.grosjean@hms-networks.com>
Cc: linux-can@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel@pengutronix.de
Subject: Re: [PATCH 1/2] can: peak_usb: validate URB length in pcan_usb_fd_decode_buf()
Date: Sun, 17 May 2026 19:26:21 +0200 [thread overview]
Message-ID: <b978603c-4878-4eee-adc1-290e905fe768@kernel.org> (raw)
In-Reply-To: <20260517-can-usb-fix-1@berkoc.com>
On 17/05/2026 at 15:55, Berkant Koc wrote:
> pcan_usb_fd_decode_buf() walks records inside the bulk-in URB by reading
> the 12-byte struct pucan_msg header from the front of each record. The
> existing loop only verifies that msg_ptr is below msg_end before
> dereferencing rx_msg->size and rx_msg->type, which means a short URB
> that contains between 1 and 11 bytes of payload causes a two-byte
> out-of-bounds read of the rx_msg->size and rx_msg->type fields. The
> fragment check that follows compares the announced size against msg_end
> but lands after the header has already been read.
>
> A malicious USB device that pretends to be a PEAK-System PCAN-USB-FD
> adapter (USB IDs 0c72:0012, 0c72:0014, 0c72:0016) can keep returning
> short bulk-in URBs and trigger this read on every poll cycle, leaking
> adjacent slab content via the dispatched decode paths or simply
> producing a KASAN slab-out-of-bounds report.
>
> Apply the pattern from commit 6fe9f3279f7d ("can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header"):
> require that at least sizeof(struct pucan_msg) bytes remain before each
> iteration, and reject records whose announced size is smaller than the
> header itself.
>
> Identified by static analysis.
Could you name which tool you used? Otherwise, this sentence adds little
value to the report.
> No KASAN trip available without specific PEAK CAN-FD hardware.
>
> Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
> Cc: stable@vger.kernel.org # 4.0+
> Signed-off-by: Berkant Koc <me@berkoc.com>
The code itself is OK. Not withstanding of above comment:
Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
Yours sincerely,
Vincent Mailhol
next prev parent reply other threads:[~2026-05-17 17:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 13:55 [PATCH 0/2] can: usb: validate URB length in PEAK-USB rx callbacks Berkant Koc
2026-05-17 13:55 ` [PATCH 1/2] can: peak_usb: validate URB length in pcan_usb_fd_decode_buf() Berkant Koc
2026-05-17 17:26 ` Vincent Mailhol [this message]
2026-05-17 13:55 ` [PATCH 2/2] can: peak_usb: validate URB length in pcan_usb_pro_decode_buf() Berkant Koc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b978603c-4878-4eee-adc1-290e905fe768@kernel.org \
--to=mailhol@kernel.org \
--cc=kernel@pengutronix.de \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@berkoc.com \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=stephane.grosjean@hms-networks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox