From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 053E03148C9
	for <linux-kernel@vger.kernel.org>; Wed, 22 Apr 2026 02:39:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776825575; cv=none; b=NXtgqZ9VylmhfOZF3sF/RmhqvX18palWMjSLRSlChLU1rd/Am0LICKnUTh/lEJQhTaO6lF7v/jKjaOaLkYq+GYniYbTjKsT+ySV4+gH8xgjumHbmoF++ZPmaiYOw6cGMzaNLAtstt9g1Aiy7V8yOFGmDUUvrR4CHO/hjOSBF7jY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776825575; c=relaxed/simple;
	bh=yGfvG2cBrEHidy4K2K9IqvK7y2YzIga4aXzMCqEx6Xw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qjvkrXXGpH/kvcPjrARforzGvLxQJhmP3J+6JBYkLBIzFCdGS5acw0o41r52vro3A5L1xgmXvpmmzUBj7VWE5M/NeXAZBxWsww8tKNwc9/rdHw659JOXdOhoqazs83HPE4MfjjtLC+7JBxg3lLArDUodU9Tg3TUkyNjgcu3EC0c=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZZpQO593; arc=none smtp.client-ip=209.85.214.173
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZZpQO593"
Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2ab46931cf1so41608855ad.0
        for <linux-kernel@vger.kernel.org>; Tue, 21 Apr 2026 19:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776825565; x=1777430365; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=jIzrzYUxwj+eWN+y9Ww82vKCDAA7PiDEJITHsFxKlBM=;
        b=ZZpQO593G6+ys2LgqHXSldPqAnbOFvW0Wgd2EFBtXvxi5Oj+5lovD6gBdp+eOe08l6
         bm1W0KBMDntwkD6xtNTzBBYUXUrJcYX2uOQ6j6gLG1NDTHZr5PgteIrpbnpLC0tAfVC7
         a0tq8X05i3Dw9Xk7r3LIiRPNbM2oHmUsglB1uCw/ZXKWKTcFZBf6UQSXNUd67qDA2NX3
         DLAjSPWEYsNvpHR8mJdIlem7rWotgD7OdyJim6oJP6QVB4nQE/KyMvbCFPyv/dG3rwo6
         hKpa3FbYiviMqUgNoqwowaPZl1qYxAL2yKbsRXyRi3dQOD0QSOkoW5chCPh8tVhCIyGv
         iKuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776825565; x=1777430365;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jIzrzYUxwj+eWN+y9Ww82vKCDAA7PiDEJITHsFxKlBM=;
        b=gdyVBfnu+RAO3ks4L3DP5fT+XEB30M4hxOmrMh9kYWW8z0kzfD6UhktHtA3kOB4spA
         o4Yuzcc5C7M5nr1NJWYoq0N6f1TBUiO61RR83n3x0B/N4wjJtga5MqwTqbpXpAuJAKNj
         1HLYcNrww2qd5ENxB3N/wgOELeoEnP14h/EB8qJIk7YFZ5MEAl+oEZLbI5FidW7EHaZl
         Sp/mzRm6BWoSfp/98gIS4CDW4r2jbj/slGEEJ8IFMLYYf6qTIVOs9pCe8pml2zT+5JLN
         NfSNZkkqR5OwhPuoZ9ji4/SNGlcg41u4v9VyaG0cVLND06vRxhleeV1uW7YuCPOpVrjQ
         b6dA==
X-Forwarded-Encrypted: i=1; AFNElJ8PKIMcEwwmQ/ROkA/VPawu96DZHSO0Fu8ddNU+QNBV2GbDgoq60Aq6gS+VAc/fuoyBAnu5cuOM99zeSn8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw66RLXtg5+sYMqT0TQkeR2VZhOO1mfidTmSXWnWaXJ23gSWNLN
	SoTNNHqRNVrQDLKRXaXhg+PlSD8pAd46atHiTvcZyVax1Nkzh9qZ3CDw
X-Gm-Gg: AeBDiesJqVp6AvHA3r55d0j5QqkvntFM/nVUMvMmlNLi4dCJOHSoD1aCGWCxM7d1MTr
	TAT21tRaRvCbQUMcOcLpAW53PEj6ArRbIqgMuDtw3wo95PrnqfE4HEIFuSQDnsuvH+FjJdMY0Kl
	oKcWAfS/O80JtaubnwuOqbn+rgcRgl3duL7o5Mel2YLgSA3E7eYG1RoNhBDUXbsUqTP/v2NzTTN
	JmsjN3Y5unjhWMdC8oCfLtjN8mjD5slDZAloyWzVrMR4Afy4TGNRRY/sj0o+PvWWhvGVpuyMHJ3
	4g0UIoABr7TSsa8W+yjJfcOuz8IT9/IQmMlkUvW5oA0QQ4SosaMG7uAlM21ICwMaYNm2uSDv0Oa
	9YGN8Pr+qXpy2EUbh6v8vEH38dcHTR8NnIf1gjuHTsfRynQ0yQef9Wv/hWMwUHrESLsXlRe00u6
	ewEFpg4PAL6VBFyizzJFboTSctSVu6gnY28+yEpGlkhGbuL4lF1iz9WO3Uxc5KzQNPeV55vfvd8
	pboKVP76U4Prn4a
X-Received: by 2002:a17:902:db11:b0:2b2:5070:8b with SMTP id d9443c01a7336-2b5f9da50b3mr187447215ad.1.1776825565303;
        Tue, 21 Apr 2026 19:39:25 -0700 (PDT)
Received: from localhost.localdomain ([156.59.4.114])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5fab28e35sm147548145ad.64.2026.04.21.19.39.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Apr 2026 19:39:24 -0700 (PDT)
From: Bingquan Chen <patzilla007@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	security@kernel.org,
	Bingquan Chen <patzilla007@gmail.com>
Subject: [PATCH v2] usb: gadget: configfs: fix OOB read in ext_prop_data_show()
Date: Wed, 22 Apr 2026 10:39:19 +0800
Message-ID: <20260422023919.37588-1-patzilla007@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

In ext_prop_data_store(), for unicode property types, the data buffer
is allocated via kmemdup() with size 'len', but data_len is set to
len*2+2 to account for the UTF-16 encoding and a 2-byte null
terminator, as required by the Microsoft OS Extended Properties
Descriptor specification (dwPropertyDataLength must include the
terminator).

However, the null terminator is never actually stored in the data
buffer. When ext_prop_data_show() reads the data back, it computes the
read length as data_len >> 1 = len+1, then does memcpy(page, data,
len+1), reading 1 byte past the allocated buffer. This is a
slab-out-of-bounds read that leaks 1 byte of adjacent heap data to
userspace via configfs.

KASAN report (5.10.252):

  BUG: KASAN: slab-out-of-bounds in ext_prop_data_show+0x4a/0x60
  Read of size 9 at addr ffff888005546008 by task poc/62

  Allocated by task 62:
   kmemdup+0x17/0x40
   ext_prop_data_store+0x52/0x130
   configfs_write_file+0x168/0x200

  The buggy address belongs to the object at ffff888005546008
   which belongs to the cache kmalloc-8 of size 8

Fix by allocating len+2 bytes and explicitly zero-terminating with a
full 2-byte UTF-16 null terminator. This ensures the buffer fully
matches the dwPropertyDataLength semantics (len*2+2) while eliminating
the OOB read.

Fixes: 7419485f197c ("usb: gadget: configfs: OS Extended Properties descriptors support")
Cc: stable@vger.kernel.org
Signed-off-by: Bingquan Chen <patzilla007@gmail.com>
---
 drivers/usb/gadget/configfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 183a25f65ac8..b2c3d4e5f6a7 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1352,8 +1352,12 @@ static ssize_t ext_prop_data_store(struct config_item *item,

 	if (page[len - 1] == '\n' || page[len - 1] == '\0')
 		--len;
-	new_data = kmemdup(page, len, GFP_KERNEL);
+	new_data = kmalloc(len + 2, GFP_KERNEL);
 	if (!new_data)
 		return -ENOMEM;
+	memcpy(new_data, page, len);
+	new_data[len]     = '\0';
+	new_data[len + 1] = '\0';

 	if (desc->opts_mutex)
--
2.43.0