From: Greg KH <gregkh@linuxfoundation.org>
To: Adrian Korwel <adriank20047@gmail.com>
Cc: linux-usb@vger.kernel.org, johan@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr()
Date: Mon, 25 May 2026 07:57:00 +0200 [thread overview]
Message-ID: <2026052525-devotee-reclaim-7673@gregkh> (raw)
In-Reply-To: <CADgB2mF95N09=gOvBZ+4ePSQ-0wCynx-rbu=aiyQecT=iDdyRw@mail.gmail.com>
On Sun, May 24, 2026 at 09:20:51PM -0500, Adrian Korwel wrote:
> Two heap overflows exist in this driver:
>
> 1. get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
> device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
> is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
>
> The Size field comes from the device and is only validated to fit
> within TI_MAX_I2C_SIZE (16384 bytes), not against the destination
> buffer size. A malicious USB device can therefore set Size to any
> value up to 16383, causing a heap overflow of up to 16373 bytes
> when plugged into a host running this driver.
>
> valid_csum() is called after read_rom() and also iterates
> buffer[0..Size-1], compounding the out-of-bounds access.
>
> Fix by rejecting descriptors larger than the destination struct
> before calling read_rom().
>
> 2. build_i2c_fw_hdr() allocates a fixed-size buffer of
> (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
> copies le16_to_cpu(img_header->Length) bytes into it without
> validating that Length fits within the available space after the
> firmware record header. img_header->Length is a __le16 from the
> firmware file and can be up to 65535. check_fw_sanity() validates
> the total firmware size but not img_header->Length specifically.
Should be 2 patches, right?
>
> Fix by rejecting images where img_header->Length exceeds the
> available destination space.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
What tool found and fixed these issues?
> ---
> drivers/usb/serial/io_ti.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
> index cb55370e036f..afe29fdf9536 100644
> --- a/drivers/usb/serial/io_ti.c
> +++ b/drivers/usb/serial/io_ti.c
> @@ -773,6 +773,12 @@ static int get_manuf_info(struct edgeport_serial
> *serial, u8 *buffer)
> }
>
> /* Read the descriptor data */
> + if (le16_to_cpu(rom_desc->Size) > sizeof(struct
> edge_ti_manuf_descriptor)) {
Your patch is corrupted and can not be applied :(
thanks,
greg k-h
next prev parent reply other threads:[~2026-05-25 5:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 2:20 [PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr() Adrian Korwel
2026-05-25 5:57 ` Greg KH [this message]
2026-05-25 14:41 ` Adrian Korwel
2026-05-25 14:58 ` [PATCH 1/2] USB: serial: io_ti: fix heap overflow in get_manuf_info() Adrian Korwel
2026-05-25 14:58 ` [PATCH 2/2] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Adrian Korwel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026052525-devotee-reclaim-7673@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=adriank20047@gmail.com \
--cc=johan@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox