From: Michal Pecio <michal.pecio@gmail.com>
To: Heitor Alves de Siqueira <halves@igalia.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-dev@igalia.com,
syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com,
stable@kernel.org
Subject: Re: [PATCH v2] usb: usbtmc: reject invalid interrupt endpoints
Date: Fri, 24 Apr 2026 00:28:39 +0200 [thread overview]
Message-ID: <20260424002839.5ad25517.michal.pecio@gmail.com> (raw)
In-Reply-To: <20260423-usbtmc-iin-size-v2-1-31afa4874f71@igalia.com>
On Thu, 23 Apr 2026 15:04:38 -0300, Heitor Alves de Siqueira wrote:
> The USBTMC driver allocates the Interrupt-IN buffer according to the
> wMaxPacketSize value obtained from the USB endpoint. If a USB device
> advertises a small enough wMaxPacketSize (e.g. a malfunctioning device
> or an endpoint constructed by syzbot), the buffer will not have enough
> space for the mandatory headers and will trigger an out-of-bounds read.
>
> Fix by rejecting devices advertising interrupt endpoints that don't fit
> at least the mandatory headers (bNotify1 and bNotify2).
>
> Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
> Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> Cc: stable@kernel.org
> Suggested-by: Michal Pecio <michal.pecio@gmail.com>
> Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
> ---
> Changes in v2:
> - Instead of ensuring buffer size, reject devices that advertise illegal/invalid interrupt endpoints
> - Link to v1: https://patch.msgid.link/20260422-usbtmc-iin-size-v1-1-5dc44b4389aa@igalia.com
On second thought, this may be not enough. A wMaxPacketSize == 2 device
can still send only 1 byte (or even 0) and cause unititialized read.
Better check if the URB completed with expected actual_length before
trying to parse the message.
And by the way, an interrupt transfer may span multiple intervals and
exceed wMaxPacketSize, USBTMC spec alludes to it. Theoretically, even
wMaxPacketSize == 1 seems possible, though it would be crazy and likely
no such HW exists because nobody complains that it doesn't work.
Regards,
Michal
next prev parent reply other threads:[~2026-04-23 22:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 18:04 [PATCH v2] usb: usbtmc: reject invalid interrupt endpoints Heitor Alves de Siqueira
2026-04-23 22:28 ` Michal Pecio [this message]
2026-04-28 19:55 ` Heitor Alves de Siqueira
2026-04-28 22:16 ` Michal Pecio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424002839.5ad25517.michal.pecio@gmail.com \
--to=michal.pecio@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=halves@igalia.com \
--cc=kernel-dev@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@kernel.org \
--cc=syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox