Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length

Next message: Kohei Enju: "Re: [PATCH v1] virt: arm-cca-guest: use raw variant of smp_processor_id() in arm_cca_report_new()"
Previous message: Thorsten Blum: "Re: [PATCH 1/3] mm: move offset_in_page() to page_helpers.h"
In reply to: Johan Hovold: "Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length"
Next in thread: Johan Hovold: "Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Cen Zhang

Date: Mon May 18 2026 - 09:41:13 EST

Hi Johan,

Thanks for reviewing this.

On Mon, May 18, 2026 at 01:07:05PM +0200, Johan Hovold wrote:

> How was this issue found? Are you using some kind of static checker or
> LLM?

The initial lead came from an LLM-assisted local audit, not from a
dedicated static checker. I then checked this path manually and validated
the issue under KASAN with a small dummy_hcd/raw_gadget setup.

The reproducer emulates a Belkin 050d:0103-compatible device with one
interrupt-in endpoint whose wMaxPacketSize is 3. After belkin_sa bound and
ttyUSB0 was opened once, the raw_gadget side completed 3-byte interrupt
packets.

The relevant part of the KASAN report as below:

BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback+0xd3/0x290
Read of size 1 at addr ffff8881029d2c43

with the callback reached from URB completion:

belkin_sa_read_int_callback+0xd3/0x290
__usb_hcd_giveback_urb+0x112/0x1d0
dummy_timer+0xaaa/0x19a0
__hrtimer_run_queues+0x102/0x510
hrtimer_run_softirq+0xd0/0x130
handle_softirqs+0x155/0x650

> You only need to verify urb->actual_length here (as actual_length <=
> transfer_buffer_length).

Agreed, thanks for pointing this out. I will send a v2 with the check
reduced to:

if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
goto exit;

and update the commit message accordingly.

Best regards,
Zhang Cen