[PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr()

[PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr()

[Adrian Korwel]

Two heap overflows exist in this driver:

1. get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
   device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
   is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

   The Size field comes from the device and is only validated to fit
   within TI_MAX_I2C_SIZE (16384 bytes), not against the destination
   buffer size. A malicious USB device can therefore set Size to any
   value up to 16383, causing a heap overflow of up to 16373 bytes
   when plugged into a host running this driver.

   valid_csum() is called after read_rom() and also iterates
   buffer[0..Size-1], compounding the out-of-bounds access.

   Fix by rejecting descriptors larger than the destination struct
   before calling read_rom().

2. build_i2c_fw_hdr() allocates a fixed-size buffer of
   (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
   copies le16_to_cpu(img_header->Length) bytes into it without
   validating that Length fits within the available space after the
   firmware record header. img_header->Length is a __le16 from the
   firmware file and can be up to 65535. check_fw_sanity() validates
   the total firmware size but not img_header->Length specifically.

   Fix by rejecting images where img_header->Length exceeds the
   available destination space.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
---
 drivers/usb/serial/io_ti.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index cb55370e036f..afe29fdf9536 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgeport_serial
*serial, u8 *buffer)
        }

        /* Read the descriptor data */
+       if (le16_to_cpu(rom_desc->Size) > sizeof(struct
edge_ti_manuf_descriptor)) {
+               dev_err(dev, "%s - descriptor too large: %u\n", __func__,
+                       le16_to_cpu(rom_desc->Size));
+               status = -EINVAL;
+               goto exit;
+       }
        status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
                                        le16_to_cpu(rom_desc->Size), buffer);
        if (status)
@@ -838,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header, const
struct firmware *fw)
        /* Pointer to fw_down memory image */
        img_header = (struct ti_i2c_image_header *)&fw->data[4];

+       if (le16_to_cpu(img_header->Length) >
+                       buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
+               kfree(buffer);
+               return -EINVAL;
+       }
        memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
                &fw->data[4 + sizeof(struct ti_i2c_image_header)],
                le16_to_cpu(img_header->Length));
-- 
2.43.0

Re: [PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr()

[Greg KH]

On Sun, May 24, 2026 at 09:20:51PM -0500, Adrian Korwel wrote:
> Two heap overflows exist in this driver:
> 
> 1. get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
>    device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
>    is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
> 
>    The Size field comes from the device and is only validated to fit
>    within TI_MAX_I2C_SIZE (16384 bytes), not against the destination
>    buffer size. A malicious USB device can therefore set Size to any
>    value up to 16383, causing a heap overflow of up to 16373 bytes
>    when plugged into a host running this driver.
> 
>    valid_csum() is called after read_rom() and also iterates
>    buffer[0..Size-1], compounding the out-of-bounds access.
> 
>    Fix by rejecting descriptors larger than the destination struct
>    before calling read_rom().
> 
> 2. build_i2c_fw_hdr() allocates a fixed-size buffer of
>    (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
>    copies le16_to_cpu(img_header->Length) bytes into it without
>    validating that Length fits within the available space after the
>    firmware record header. img_header->Length is a __le16 from the
>    firmware file and can be up to 65535. check_fw_sanity() validates
>    the total firmware size but not img_header->Length specifically.

Should be 2 patches, right?

> 
>    Fix by rejecting images where img_header->Length exceeds the
>    available destination space.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Adrian Korwel <adriank20047@gmail.com>

What tool found and fixed these issues?

> ---
>  drivers/usb/serial/io_ti.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
> index cb55370e036f..afe29fdf9536 100644
> --- a/drivers/usb/serial/io_ti.c
> +++ b/drivers/usb/serial/io_ti.c
> @@ -773,6 +773,12 @@ static int get_manuf_info(struct edgeport_serial
> *serial, u8 *buffer)
>         }
> 
>         /* Read the descriptor data */
> +       if (le16_to_cpu(rom_desc->Size) > sizeof(struct
> edge_ti_manuf_descriptor)) {

Your patch is corrupted and can not be applied :(

thanks,

greg k-h

Re: [PATCH] USB: serial: io_ti: fix heap overflows in get_manuf_info() and build_i2c_fw_hdr()

[Adrian Korwel]

On Mon, May 26, 2026 at 12:57AM, Greg KH wrote:
> Should be 2 patches, right?
> What tool found and fixed these issues?
> Your patch is corrupted and can not be applied :(

Apologies for the issues. I will send a v2 as two separate patches.

These issues were found by manual code review — auditing USB serial
drivers for unvalidated device-controlled length fields used in
kmalloc or memcpy without bounds checking against the destination
buffer size.

No automated tool was involved.

On Mon, May 25, 2026 at 12:57 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Sun, May 24, 2026 at 09:20:51PM -0500, Adrian Korwel wrote:
> > Two heap overflows exist in this driver:
> >
> > 1. get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
> >    device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
> >    is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
> >
> >    The Size field comes from the device and is only validated to fit
> >    within TI_MAX_I2C_SIZE (16384 bytes), not against the destination
> >    buffer size. A malicious USB device can therefore set Size to any
> >    value up to 16383, causing a heap overflow of up to 16373 bytes
> >    when plugged into a host running this driver.
> >
> >    valid_csum() is called after read_rom() and also iterates
> >    buffer[0..Size-1], compounding the out-of-bounds access.
> >
> >    Fix by rejecting descriptors larger than the destination struct
> >    before calling read_rom().
> >
> > 2. build_i2c_fw_hdr() allocates a fixed-size buffer of
> >    (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
> >    copies le16_to_cpu(img_header->Length) bytes into it without
> >    validating that Length fits within the available space after the
> >    firmware record header. img_header->Length is a __le16 from the
> >    firmware file and can be up to 65535. check_fw_sanity() validates
> >    the total firmware size but not img_header->Length specifically.
>
> Should be 2 patches, right?
>
> >
> >    Fix by rejecting images where img_header->Length exceeds the
> >    available destination space.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
>
> What tool found and fixed these issues?
>
> > ---
> >  drivers/usb/serial/io_ti.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> >
> > diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
> > index cb55370e036f..afe29fdf9536 100644
> > --- a/drivers/usb/serial/io_ti.c
> > +++ b/drivers/usb/serial/io_ti.c
> > @@ -773,6 +773,12 @@ static int get_manuf_info(struct edgeport_serial
> > *serial, u8 *buffer)
> >         }
> >
> >         /* Read the descriptor data */
> > +       if (le16_to_cpu(rom_desc->Size) > sizeof(struct
> > edge_ti_manuf_descriptor)) {
>
> Your patch is corrupted and can not be applied :(
>
> thanks,
>
> greg k-h

[PATCH 1/2] USB: serial: io_ti: fix heap overflow in get_manuf_info()

[Adrian Korwel]

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated to fit
within TI_MAX_I2C_SIZE (16384 bytes), not against the destination
buffer size. A malicious USB device can therefore set Size to any
value up to 16383, causing a heap overflow of up to 16373 bytes
when plugged into a host running this driver.

valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors larger than the destination struct
before calling read_rom().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
---
 drivers/usb/serial/io_ti.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index cb55370e036f..a35409bd766c 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgeport_serial *serial, u8 *buffer)
 	}
 
 	/* Read the descriptor data */
+	if (le16_to_cpu(rom_desc->Size) > sizeof(struct edge_ti_manuf_descriptor)) {
+		dev_err(dev, "%s - descriptor too large: %u\n", __func__,
+			le16_to_cpu(rom_desc->Size));
+		status = -EINVAL;
+		goto exit;
+	}
 	status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
 					le16_to_cpu(rom_desc->Size), buffer);
 	if (status)
-- 
2.43.0

[PATCH 2/2] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()

[Adrian Korwel]

build_i2c_fw_hdr() allocates a fixed-size buffer of
(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
copies le16_to_cpu(img_header->Length) bytes into it without
validating that Length fits within the available space after the
firmware record header.

img_header->Length is a __le16 from the firmware file and can be
up to 65535. check_fw_sanity() validates the total firmware size
but not img_header->Length specifically.

Fix by rejecting images where img_header->Length exceeds the
available destination space.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
---
 drivers/usb/serial/io_ti.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index a35409bd766c..afe29fdf9536 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -844,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header, const struct firmware *fw)
 	/* Pointer to fw_down memory image */
 	img_header = (struct ti_i2c_image_header *)&fw->data[4];
 
+	if (le16_to_cpu(img_header->Length) >
+			buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
+		kfree(buffer);
+		return -EINVAL;
+	}
 	memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
 		&fw->data[4 + sizeof(struct ti_i2c_image_header)],
 		le16_to_cpu(img_header->Length));
-- 
2.43.0