From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-dl1-f49.google.com (mail-dl1-f49.google.com [74.125.82.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 820AB3D7D74
	for <linux-kernel@vger.kernel.org>; Tue, 21 Apr 2026 14:10:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.49
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776780622; cv=none; b=IwWBdOhCG7h3loVOTNOxGrMYzTg3NmS1gwPvuWPjE+4vnFnIPKyasX5qCCfR5m115WXsBbn/jcPZ/u4/b2lJkH/uOK6369FPjRMp50pTteImqR0ChZ6OhsUoaFdy+1iwyvVJCKJuFQiqy3XmC3X/Nx7BTmza858K7NXZIEgCk7o=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776780622; c=relaxed/simple;
	bh=kIm5kH85UH7+YNKd5iqnnO1F9CcZhlSMdP4GNhN/Tck=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=fBzIOGZU5wg4dVjb6nOi1/PuYK9C7HqlkmqJl8HFaKbRq0rYSSddkIF27D22a2tfB1612X++k1UmND+w+LROYj5L7/85iQCj4JGgL/auPC1Enu2wc/POPtPg0InO/mhukziIVyz8xp3A6z5lt/EZHGqvei9JRllu8Z6YAg2eaLI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YhcDVgzC; arc=none smtp.client-ip=74.125.82.49
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YhcDVgzC"
Received: by mail-dl1-f49.google.com with SMTP id a92af1059eb24-12c6df0b9bbso401103c88.1
        for <linux-kernel@vger.kernel.org>; Tue, 21 Apr 2026 07:10:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776780619; x=1777385419; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=qY87NJeBopBZl+AvWsat0W4p5pkhAeY8QFNi7OA2YE0=;
        b=YhcDVgzCYZ9mHwwA07q2HfXzqGm6Tfld5Hlt+8ux6yxRh2gL/43tYtShuSiZ35XxUG
         jRMV9Go/GF6JmNISgFfq28ZSEzTfZKfMwYcDCOIChpMkl0NlS58bpsX/l/Fq5rbiKrQq
         KLbKlMOpOWizjYaYUHaoBcnBfZMdb32HpN5lq/PHoKeFHC/TaMHZg+Dv3jBjrGKVZW3o
         4n1BZ+bO/4x8+OwJT9nbEDdVK5kDRfyi2EfOIiyMOCCVfVTP2S4/5LnIqPVsute6DimE
         hdfZ7HVGoxDt36h2Zx71+fa23TO8qBD4BSkr/p7bT+E6dyJd3nxuy40CmlgmivYL9G3u
         /zfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776780619; x=1777385419;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qY87NJeBopBZl+AvWsat0W4p5pkhAeY8QFNi7OA2YE0=;
        b=NLFCU95JCJiLeA0l1O5yU/8UIBRKyFpdfRjIaKCkdOFPqYmWOXnHyCNBrax5/YPa9a
         9fDbruZHv1f1Mb1Y45YKCMczKOu8p4BvAvQrhfj3sBJMaYmIhGOYRpDq4mcHEwzRXmIu
         Us240hpo9Ee69HFJrj3QbgGa9gOYH+x7RJIz74AHmypbZMTKxe7uCl7/935EV36bEuiI
         rw9V715BO9sl01OlLTOTV2/ZLrjsS3t13zmxmLDb++1vR4xMIPAGKJisEpVnSfX5uZMe
         yrEN0Pw7cLGFAe72PUJ/GghHOfr9J62ubJfxGi4MAtZLfZKuPf6u2Gue7ssC+YwOl7D+
         rnxw==
X-Forwarded-Encrypted: i=1; AFNElJ+kxzi7RDB711MDCFpfhCrJm1I4TtTKjiX6ycMS65gddD9JLbFuSgcP9a+ACNy6GLkUBq6vSApxrzdkHRc=@vger.kernel.org
X-Gm-Message-State: AOJu0YznAJwNAgdC+DOtYzxA2fJlzQ7Y7ez6JQjAMGhHwfP1KzJR2AAp
	Nz840k9uO0i8gg2bhVjcgFRNzO5DXMfmJOUA1F/mvv7XDefo0yp0TL1t
X-Gm-Gg: AeBDievZo73vi8dhLvp5V1A4LRxNdcJeGtr6F586p5XVfvxbBqMypz+stK+jeh537uH
	p863nvtT2hjcPDpEIAPJqidlIokrLLBTmg5+bm90n+Q22kWa9lLd8iT47vlN5NvGzer4U2jQBm7
	7sZ+EVWDZvIQ5et/+AY0+yRvxdnI26UVxv7g2f/1vpA4gzAPNUxwdTu1kZA0+/Zje/6eW/8klHr
	iOKVuDGZNXfvfmjC9hnHrw6PuoKT0ZfxIo8X2MqVMna/XAkl9J5zuqg9mCqTz5G0r9sBf5H/x7f
	4LObGASWe5feT3MSiIGDdl3IEnTFDFpAVJwghvC+yvaw8fGS0CgGV6q4EOcepLZz+Y/9Epl7hf/
	141DRk3MxIxD4zeAWn9bvINgWC4kzVGHWuMIVcGid2QUfX4a5VVSdqU8WzVwePtG1m8QXP5NQWD
	lHgFiL6viSVQEAha2d+wkS5lp4dYoZ+se29GCQOyKVEbvGt2lP+k0jcu4K6s5Yuj2LHOpkqeICb
	ImdmGDr
X-Received: by 2002:a05:7022:6988:b0:128:bae0:e03c with SMTP id a92af1059eb24-12c73fac23bmr9805997c88.30.1776780619321;
        Tue, 21 Apr 2026 07:10:19 -0700 (PDT)
Received: from localhost.localdomain ([159.54.180.171])
        by smtp.gmail.com with ESMTPSA id a92af1059eb24-12c831d5b29sm17997432c88.8.2026.04.21.07.10.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Apr 2026 07:10:18 -0700 (PDT)
From: Bingquan Chen <patzilla007@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	security@kernel.org,
	Bingquan Chen <patzilla007@gmail.com>
Subject: [PATCH] usb: gadget: configfs: fix 1-byte OOB read in ext_prop_data_show()
Date: Tue, 21 Apr 2026 22:10:10 +0800
Message-ID: <20260421141010.5607-1-patzilla007@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

In ext_prop_data_store(), for unicode property types, the data buffer
is allocated via kmemdup() with size 'len', but data_len is inflated
to len*2+2 to account for the UTF-16 encoding and a 2-byte null
terminator. The null terminator is not actually stored in the data
buffer.

When ext_prop_data_show() reads the data back, it computes the read
length as data_len >> 1 = len+1, then does memcpy(page, data, len+1),
reading 1 byte past the allocated buffer. This is a slab-out-of-bounds
read that leaks 1 byte of adjacent heap data to userspace via configfs.

KASAN report (5.10.252):

  BUG: KASAN: slab-out-of-bounds in ext_prop_data_show+0x4a/0x60
  Read of size 9 at addr ffff888005546008 by task poc/62

  Allocated by task 62:
   kmemdup+0x17/0x40
   ext_prop_data_store+0x52/0x130
   configfs_write_file+0x168/0x200

  The buggy address belongs to the object at ffff888005546008
   which belongs to the cache kmalloc-8 of size 8

Fix by allocating len+1 bytes and null-terminating the buffer, so the
extra byte read in show() returns a known-zero byte instead of
adjacent slab data.

Fixes: 7419485f197c ("usb: gadget: configfs: OS Extended Properties descriptors support")
Cc: stable@vger.kernel.org
Signed-off-by: Bingquan Chen <patzilla007@gmail.com>
---
 drivers/usb/gadget/configfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 183a25f65ac8..a1b2c3d4e5f6 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1352,8 +1352,11 @@ static ssize_t ext_prop_data_store(struct config_item *item,

 	if (page[len - 1] == '\n' || page[len - 1] == '\0')
 		--len;
-	new_data = kmemdup(page, len, GFP_KERNEL);
+	new_data = kmalloc(len + 1, GFP_KERNEL);
 	if (!new_data)
 		return -ENOMEM;
+	memcpy(new_data, page, len);
+	new_data[len] = '\0';

 	if (desc->opts_mutex)
--
2.43.0