[PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow

Linux USB
 help / color / mirror / Atom feed

* [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow
@ 2026-06-07  9:51 HyeongJun An
  2026-06-08  6:34 ` Johan Hovold
  2026-06-08  9:09 ` [PATCH v2] " HyeongJun An
  0 siblings, 2 replies; 7+ messages in thread
From: HyeongJun An @ 2026-06-07  9:51 UTC (permalink / raw)
  To: Johan Hovold, Greg Kroah-Hartman
  Cc: linux-usb, linux-kernel, stable, HyeongJun An

klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:

  count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
                           size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:

  BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
  Write of size 64 at addr ffff888112c62202 by task python3
   kfifo_copy_out
   klsi_105_prepare_write_buffer [kl5kusb105]
   usb_serial_generic_write_start [usbserial]
  Allocated by task 139:
   usb_serial_probe [usbserial]
  The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
Cc: stable@vger.kernel.org
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
 drivers/usb/serial/kl5kusb105.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c
index ed8531a64768..e72a0b45a707 100644
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -330,8 +330,8 @@ static int klsi_105_prepare_write_buffer(struct usb_serial_port *port,
 	unsigned char *buf = dest;
 	int count;
 
-	count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
-								&port->lock);
+	count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+				 size - KLSI_HDR_LEN, &port->lock);
 	put_unaligned_le16(count, buf);
 
 	return count + KLSI_HDR_LEN;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow
  2026-06-07  9:51 [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow HyeongJun An
@ 2026-06-08  6:34 ` Johan Hovold
  2026-06-08  7:49   ` HyeongJun An
  2026-06-08  9:09 ` [PATCH v2] " HyeongJun An
  1 sibling, 1 reply; 7+ messages in thread
From: Johan Hovold @ 2026-06-08  6:34 UTC (permalink / raw)
  To: HyeongJun An; +Cc: Greg Kroah-Hartman, linux-usb, linux-kernel, stable

On Sun, Jun 07, 2026 at 06:51:14PM +0900, HyeongJun An wrote:
> klsi_105_prepare_write_buffer() is called by the generic write path
> with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
> stores a two-byte length header at the start of the buffer and copies
> the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
> passes the full buffer size as the number of bytes to copy:
> 
>   count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
>                            size, &port->lock);
> 
> When the fifo holds at least size bytes, size bytes are copied starting
> two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
> end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
> the header as safe_serial already does.

Good catch!

How was this found? Did you use some kind of static checker or LLM?

Johan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow
  2026-06-08  6:34 ` Johan Hovold
@ 2026-06-08  7:49   ` HyeongJun An
  2026-06-08  8:36     ` Johan Hovold
  0 siblings, 1 reply; 7+ messages in thread
From: HyeongJun An @ 2026-06-08  7:49 UTC (permalink / raw)
  To: johan; +Cc: gregkh, linux-usb, linux-kernel, stable

Hi Johan,

Thanks a lot!

Yes, I used an LLM to compare the custom prepare_write_buffer()
handlers in drivers/usb/serial/.  kl5kusb105 passes the full "size"
to the fifo copy, while the ones with a header or trailer, like
safe_serial, reserve that space first.

Thanks,
HyeongJun

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow
  2026-06-08  7:49   ` HyeongJun An
@ 2026-06-08  8:36     ` Johan Hovold
  2026-06-08  9:11       ` Sam Hyeong
  0 siblings, 1 reply; 7+ messages in thread
From: Johan Hovold @ 2026-06-08  8:36 UTC (permalink / raw)
  To: HyeongJun An; +Cc: gregkh, linux-usb, linux-kernel, stable

On Mon, Jun 08, 2026 at 04:49:30PM +0900, HyeongJun An wrote:

> Yes, I used an LLM to compare the custom prepare_write_buffer()
> handlers in drivers/usb/serial/.  kl5kusb105 passes the full "size"
> to the fifo copy, while the ones with a header or trailer, like
> safe_serial, reserve that space first.

Thanks for confirming. This needs to be documented in the commit
message, see:

	Documentation/process/submitting-patches.rst ["Using Assisted-by"]
	Documentation/process/coding-assistants.rst

Can you send a v2 with the missing tag?

Johan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow
  2026-06-08  8:36     ` Johan Hovold
@ 2026-06-08  9:11       ` Sam Hyeong
  0 siblings, 0 replies; 7+ messages in thread
From: Sam Hyeong @ 2026-06-08  9:11 UTC (permalink / raw)
  To: Johan Hovold; +Cc: gregkh, linux-usb, linux-kernel, stable

Hi Johan,

Sure, thanks! I've just sent a v2 with the "Assisted-by" tag.

Thanks,
HyeongJun



On Mon, Jun 8, 2026 at 5:36 PM Johan Hovold <johan@kernel.org> wrote:
>
> On Mon, Jun 08, 2026 at 04:49:30PM +0900, HyeongJun An wrote:
>
> > Yes, I used an LLM to compare the custom prepare_write_buffer()
> > handlers in drivers/usb/serial/.  kl5kusb105 passes the full "size"
> > to the fifo copy, while the ones with a header or trailer, like
> > safe_serial, reserve that space first.
>
> Thanks for confirming. This needs to be documented in the commit
> message, see:
>
>         Documentation/process/submitting-patches.rst ["Using Assisted-by"]
>         Documentation/process/coding-assistants.rst
>
> Can you send a v2 with the missing tag?
>
> Johan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2] USB: serial: kl5kusb105: fix bulk-out buffer overflow
  2026-06-07  9:51 [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow HyeongJun An
  2026-06-08  6:34 ` Johan Hovold
@ 2026-06-08  9:09 ` HyeongJun An
  2026-06-08 11:49   ` Johan Hovold
  1 sibling, 1 reply; 7+ messages in thread
From: HyeongJun An @ 2026-06-08  9:09 UTC (permalink / raw)
  To: Johan Hovold, Greg Kroah-Hartman
  Cc: linux-usb, linux-kernel, stable, HyeongJun An

klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:

  count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
                           size, &port->lock);

When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.

Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:

  BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
  Write of size 64 at addr ffff888112c62202 by task python3
   kfifo_copy_out
   klsi_105_prepare_write_buffer [kl5kusb105]
   usb_serial_generic_write_start [usbserial]
  Allocated by task 139:
   usb_serial_probe [usbserial]
  The buggy address is located 2 bytes inside of allocated 64-byte region

The out-of-bounds write no longer occurs with this change applied.

Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
v2:
- Add Assisted-by tag as requested by Johan.

 drivers/usb/serial/kl5kusb105.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c
index ed8531a64768..e72a0b45a707 100644
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -330,8 +330,8 @@ static int klsi_105_prepare_write_buffer(struct usb_serial_port *port,
 	unsigned char *buf = dest;
 	int count;
 
-	count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
-								&port->lock);
+	count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+				 size - KLSI_HDR_LEN, &port->lock);
 	put_unaligned_le16(count, buf);
 
 	return count + KLSI_HDR_LEN;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] USB: serial: kl5kusb105: fix bulk-out buffer overflow
  2026-06-08  9:09 ` [PATCH v2] " HyeongJun An
@ 2026-06-08 11:49   ` Johan Hovold
  0 siblings, 0 replies; 7+ messages in thread
From: Johan Hovold @ 2026-06-08 11:49 UTC (permalink / raw)
  To: HyeongJun An; +Cc: Greg Kroah-Hartman, linux-usb, linux-kernel, stable

On Mon, Jun 08, 2026 at 06:09:26PM +0900, HyeongJun An wrote:
> klsi_105_prepare_write_buffer() is called by the generic write path
> with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
> stores a two-byte length header at the start of the buffer and copies
> the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
> passes the full buffer size as the number of bytes to copy:
> 
>   count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
>                            size, &port->lock);
> 
> When the fifo holds at least size bytes, size bytes are copied starting
> two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
> end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
> the header as safe_serial already does.

> Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
> ---
> v2:
> - Add Assisted-by tag as requested by Johan.

Now applied, thanks.

Johan

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-06-08 11:49 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-07  9:51 [PATCH] USB: serial: kl5kusb105: fix bulk-out buffer overflow HyeongJun An
2026-06-08  6:34 ` Johan Hovold
2026-06-08  7:49   ` HyeongJun An
2026-06-08  8:36     ` Johan Hovold
2026-06-08  9:11       ` Sam Hyeong
2026-06-08  9:09 ` [PATCH v2] " HyeongJun An
2026-06-08 11:49   ` Johan Hovold

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox