Re: [PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint

Next message: Mirela Rabulea: "Re: [PATCH] media: v4l2-fwnode: Fix subdev owner overwritten in v4l2_async_register_subdev_sensor()"
Previous message: Geert Uytterhoeven: "Re: [PATCH v2 09/10] arm64: dts: renesas: r9a09g077: add MTU3 support"
In reply to: Cen Zhang: "Re: [PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint"
Next in thread: Cen Zhang: "Re: [PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Fri May 22 2026 - 10:41:46 EST

On Fri, May 22, 2026 at 10:16:07PM +0800, Cen Zhang wrote:

> I took a closer look at your patch and tested it on top of commit
> 917719c412c4 with KASAN enabled. I applied your patch, rebuilt the
> kernel, and reran the same reproducer I used for the report.
>
> The original reproducer still triggers:
>
> BUG: KASAN: slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
> Read of size 1

> I think the reason is that your patch rejects small interrupt-out
> endpoint sizes, but this reproducer has interrupt_out_size = 16, so the
> new check is not hit. The remaining issue is on the read side:
> packet_format_1 reads data[1] before checking that urb->actual_length
> contains the two-byte header.

Sorry if it wasn't clear but my patch isn't meant to replace yours as it
fixes a separate issue (introduced by the same commit).

> I also tested a variant with interrupt-out wMaxPacketSize = 1. Your
> patch rejects that device during port probe with -EINVAL before ttyUSB0
> is exposed, so the new check works for that endpoint-size case.

Thanks for testing it.

> Please let me know if I missed anything in the test setup or in the
> analysis above. I am happy to help test another version, or send a
> follow-up patch for cypress_read_int_callback() using your earlier
> comments if that would be useful.

I'm hoping you can send me a v2 of your fix.

Johan