Re: [PATCH 1/2] USB: serial: io_ti: fix heap overflow in get_manuf_info()

[Johan Hovold <johan@kernel.org>]

On Mon, May 25, 2026 at 09:58:31AM -0500, Adrian Korwel wrote:
> get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
> device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
> is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
> 
> The Size field comes from the device and is only validated to fit
> within TI_MAX_I2C_SIZE (16384 bytes),

get_descriptor_addr() does not validate this, but apparently
check_i2c_image() has already done so. I added a comment about that
since it's not obvious.

> not against the destination
> buffer size. A malicious USB device can therefore set Size to any
> value up to 16383, causing a heap overflow of up to 16373 bytes
> when plugged into a host running this driver.

You also need to account for the first two bytes and the header so these
numbers should be 16377 and 16367, right?
 
> valid_csum() is called after read_rom() and also iterates
> buffer[0..Size-1], compounding the out-of-bounds access.
> 
> Fix by rejecting descriptors larger than the destination struct
> before calling read_rom().

We should also make sure that the descriptor is not too short so I
amended the patch when applying.

End result is here:

	https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial.git/commit/?h=usb-linus&id=183c1076eca43bbb3e7bdf597456f91d81c73e74

> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Adrian Korwel <adriank20047@gmail.com>

Both fixes now applied, thanks.

Johan