* [PATCH] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
@ 2025-12-19 22:34 pip-izony
2025-12-19 23:36 ` Dmitry Torokhov
0 siblings, 1 reply; 5+ messages in thread
From: pip-izony @ 2025-12-19 22:34 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Seungjin Bae, Kyungtae Kim, Sanghoon Choi, Dan Carpenter,
linux-input, linux-kernel
From: Seungjin Bae <eeodqql09@gmail.com>
The `ims_pcu_process_data()` processes incoming URB data byte by byte.
However, it fails to check if the `read_pos` index exceeds
IMS_PCU_BUF_SIZE.
If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE,
`read_pos` will increment indefinitely. Moreover, since `read_pos` is
located immediately after `read_buf`, the attacker can overwrite
`read_pos` itself to arbitrarily control the index.
This manipulated `read_pos` is subsequently used in
`ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a
heap buffer overflow.
Specifically, an attacker can overwrite the `cmd_done.wait.head` located
at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`.
Consequently, when the driver calls `complete(&pcu->cmd_done)`, it
triggers a control flow hijack by using the manipulated pointer.
Fix this by adding a bounds check for `read_pos` before writing to
`read_buf`.
Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
drivers/input/misc/ims-pcu.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 4581f1c53644..402bf03ca8f6 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -451,7 +451,8 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
if (pcu->have_dle) {
pcu->have_dle = false;
- pcu->read_buf[pcu->read_pos++] = data;
+ if (pcu->read_pos < IMS_PCU_BUF_SIZE)
+ pcu->read_buf[pcu->read_pos++] = data;
pcu->check_sum += data;
continue;
}
@@ -491,7 +492,8 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
break;
default:
- pcu->read_buf[pcu->read_pos++] = data;
+ if (pcu->read_pos < IMS_PCU_BUF_SIZE)
+ pcu->read_buf[pcu->read_pos++] = data;
pcu->check_sum += data;
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
2025-12-19 22:34 [PATCH] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data() pip-izony
@ 2025-12-19 23:36 ` Dmitry Torokhov
2025-12-20 0:24 ` [PATCH v2] " pip-izony
0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Torokhov @ 2025-12-19 23:36 UTC (permalink / raw)
To: pip-izony
Cc: Kyungtae Kim, Sanghoon Choi, Dan Carpenter, linux-input,
linux-kernel
Hi Seungjin,
On Fri, Dec 19, 2025 at 05:34:18PM -0500, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The `ims_pcu_process_data()` processes incoming URB data byte by byte.
> However, it fails to check if the `read_pos` index exceeds
> IMS_PCU_BUF_SIZE.
>
> If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE,
> `read_pos` will increment indefinitely. Moreover, since `read_pos` is
> located immediately after `read_buf`, the attacker can overwrite
> `read_pos` itself to arbitrarily control the index.
>
> This manipulated `read_pos` is subsequently used in
> `ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a
> heap buffer overflow.
>
> Specifically, an attacker can overwrite the `cmd_done.wait.head` located
> at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`.
> Consequently, when the driver calls `complete(&pcu->cmd_done)`, it
> triggers a control flow hijack by using the manipulated pointer.
>
> Fix this by adding a bounds check for `read_pos` before writing to
> `read_buf`.
>
> Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver")
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> drivers/input/misc/ims-pcu.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
> index 4581f1c53644..402bf03ca8f6 100644
> --- a/drivers/input/misc/ims-pcu.c
> +++ b/drivers/input/misc/ims-pcu.c
> @@ -451,7 +451,8 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
>
> if (pcu->have_dle) {
> pcu->have_dle = false;
> - pcu->read_buf[pcu->read_pos++] = data;
> + if (pcu->read_pos < IMS_PCU_BUF_SIZE)
> + pcu->read_buf[pcu->read_pos++] = data;
I think we might want a warning if we're overflowing the buffer.
> pcu->check_sum += data;
I don't think we should be adding the discarded bytes to the checksum.
Or maybe we should reset the state of the parser, discarding bad (too
large) packet.
> continue;
> }
> @@ -491,7 +492,8 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
> break;
>
> default:
> - pcu->read_buf[pcu->read_pos++] = data;
> + if (pcu->read_pos < IMS_PCU_BUF_SIZE)
> + pcu->read_buf[pcu->read_pos++] = data;
> pcu->check_sum += data;
> break;
> }
Thanks.
--
Dmitry
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH v2] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
2025-12-19 23:36 ` Dmitry Torokhov
@ 2025-12-20 0:24 ` pip-izony
2025-12-21 21:14 ` [PATCH v3] " pip-izony
0 siblings, 1 reply; 5+ messages in thread
From: pip-izony @ 2025-12-20 0:24 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Seungjin Bae, Kyungtae Kim, Sanghoon Choi, Dan Carpenter,
linux-input, linux-kernel
From: Seungjin Bae <eeodqql09@gmail.com>
The `ims_pcu_process_data()` processes incoming URB data byte by byte.
However, it fails to check if the `read_pos` index exceeds
IMS_PCU_BUF_SIZE.
If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE,
`read_pos` will increment indefinitely. Moreover, since `read_pos` is
located immediately after `read_buf`, the attacker can overwrite
`read_pos` itself to arbitrarily control the index.
This manipulated `read_pos` is subsequently used in
`ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a
heap buffer overflow.
Specifically, an attacker can overwrite the `cmd_done.wait.head` located
at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`.
Consequently, when the driver calls `complete(&pcu->cmd_done)`, it
triggers a control flow hijack by using the manipulated pointer.
Fix this by adding a bounds check for `read_pos` before writing to
`read_buf`. If the packet is too long, discard it, log a warining,
and reset the parser state.
Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Add warning and reset the state of the parser for bad packet
drivers/input/misc/ims-pcu.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 4581f1c53644..c98ef71c841e 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -450,6 +450,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
continue;
if (pcu->have_dle) {
+ if (pcu->read_pos >= IMS_PCU_BUF_SIZE) {
+ dev_warn(pcu->dev,
+ "Packet too long (%d bytes), discarding\n",
+ pcu->read_pos);
+ pcu->have_stx = false;
+ pcu->have_dle = false;
+ pcu->read_pos = 0;
+ continue;
+ }
+
pcu->have_dle = false;
pcu->read_buf[pcu->read_pos++] = data;
pcu->check_sum += data;
@@ -491,6 +501,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
break;
default:
+ if (pcu->read_pos >= IMS_PCU_BUF_SIZE) {
+ dev_warn(pcu->dev,
+ "Packet too long (%d bytes), discarding\n",
+ pcu->read_pos);
+ pcu->have_stx = false;
+ pcu->have_dle = false;
+ pcu->read_pos = 0;
+ continue;
+ }
+
pcu->read_buf[pcu->read_pos++] = data;
pcu->check_sum += data;
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH v3] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
2025-12-20 0:24 ` [PATCH v2] " pip-izony
@ 2025-12-21 21:14 ` pip-izony
2026-04-08 16:53 ` Dmitry Torokhov
0 siblings, 1 reply; 5+ messages in thread
From: pip-izony @ 2025-12-21 21:14 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Seungjin Bae, Kyungtae Kim, Sanghoon Choi, Dan Carpenter,
linux-input, linux-kernel
From: Seungjin Bae <eeodqql09@gmail.com>
The `ims_pcu_process_data()` processes incoming URB data byte by byte.
However, it fails to check if the `read_pos` index exceeds
IMS_PCU_BUF_SIZE.
If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE,
`read_pos` will increment indefinitely. Moreover, since `read_pos` is
located immediately after `read_buf`, the attacker can overwrite
`read_pos` itself to arbitrarily control the index.
This manipulated `read_pos` is subsequently used in
`ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a
heap buffer overflow.
Specifically, an attacker can overwrite the `cmd_done.wait.head` located
at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`.
Consequently, when the driver calls `complete(&pcu->cmd_done)`, it
triggers a control flow hijack by using the manipulated pointer.
Fix this by adding a bounds check for `read_pos` before writing to
`read_buf`. If the packet is too long, discard it, log a warning,
and reset the parser state.
Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver")
Co-developed-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Add warning and reset the state of the parser for bad packet
v2 -> v3: Add co-author information
drivers/input/misc/ims-pcu.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 4581f1c53644..c98ef71c841e 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -450,6 +450,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
continue;
if (pcu->have_dle) {
+ if (pcu->read_pos >= IMS_PCU_BUF_SIZE) {
+ dev_warn(pcu->dev,
+ "Packet too long (%d bytes), discarding\n",
+ pcu->read_pos);
+ pcu->have_stx = false;
+ pcu->have_dle = false;
+ pcu->read_pos = 0;
+ continue;
+ }
+
pcu->have_dle = false;
pcu->read_buf[pcu->read_pos++] = data;
pcu->check_sum += data;
@@ -491,6 +501,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
break;
default:
+ if (pcu->read_pos >= IMS_PCU_BUF_SIZE) {
+ dev_warn(pcu->dev,
+ "Packet too long (%d bytes), discarding\n",
+ pcu->read_pos);
+ pcu->have_stx = false;
+ pcu->have_dle = false;
+ pcu->read_pos = 0;
+ continue;
+ }
+
pcu->read_buf[pcu->read_pos++] = data;
pcu->check_sum += data;
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v3] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data()
2025-12-21 21:14 ` [PATCH v3] " pip-izony
@ 2026-04-08 16:53 ` Dmitry Torokhov
0 siblings, 0 replies; 5+ messages in thread
From: Dmitry Torokhov @ 2026-04-08 16:53 UTC (permalink / raw)
To: pip-izony
Cc: Kyungtae Kim, Sanghoon Choi, Dan Carpenter, linux-input,
linux-kernel
Hi,
On Sun, Dec 21, 2025 at 04:14:42PM -0500, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@gmail.com>
>
> The `ims_pcu_process_data()` processes incoming URB data byte by byte.
> However, it fails to check if the `read_pos` index exceeds
> IMS_PCU_BUF_SIZE.
>
> If a malicious USB device sends a packet larger than IMS_PCU_BUF_SIZE,
> `read_pos` will increment indefinitely. Moreover, since `read_pos` is
> located immediately after `read_buf`, the attacker can overwrite
> `read_pos` itself to arbitrarily control the index.
>
> This manipulated `read_pos` is subsequently used in
> `ims_pcu_handle_response()` to copy data into `cmd_buf`, leading to a
> heap buffer overflow.
>
> Specifically, an attacker can overwrite the `cmd_done.wait.head` located
> at offset 136 relative to `cmd_buf` in the `ims_pcu_handle_response()`.
> Consequently, when the driver calls `complete(&pcu->cmd_done)`, it
> triggers a control flow hijack by using the manipulated pointer.
>
> Fix this by adding a bounds check for `read_pos` before writing to
> `read_buf`. If the packet is too long, discard it, log a warning,
> and reset the parser state.
>
> Fixes: 628329d524743 ("Input: add IMS Passenger Control Unit driver")
> Co-developed-by: Sanghoon Choi <csh0052@gmail.com>
> Signed-off-by: Sanghoon Choi <csh0052@gmail.com>
> Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
> ---
> v1 -> v2: Add warning and reset the state of the parser for bad packet
> v2 -> v3: Add co-author information
>
> drivers/input/misc/ims-pcu.c | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
> index 4581f1c53644..c98ef71c841e 100644
> --- a/drivers/input/misc/ims-pcu.c
> +++ b/drivers/input/misc/ims-pcu.c
> @@ -450,6 +450,16 @@ static void ims_pcu_process_data(struct ims_pcu *pcu, struct urb *urb)
> continue;
>
> if (pcu->have_dle) {
> + if (pcu->read_pos >= IMS_PCU_BUF_SIZE) {
> + dev_warn(pcu->dev,
> + "Packet too long (%d bytes), discarding\n",
> + pcu->read_pos);
> + pcu->have_stx = false;
> + pcu->have_dle = false;
> + pcu->read_pos = 0;
Here and in the other place we also need to reset checksum, otherwise a
valid packet might get rejected.
I factored out the code resetting packet state and applied, thanks.
--
Dmitry
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-08 16:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-19 22:34 [PATCH] Input: ims-pcu - fix heap-buffer-overflow in ims_pcu_process_data() pip-izony
2025-12-19 23:36 ` Dmitry Torokhov
2025-12-20 0:24 ` [PATCH v2] " pip-izony
2025-12-21 21:14 ` [PATCH v3] " pip-izony
2026-04-08 16:53 ` Dmitry Torokhov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox