Re: [PATCH] usb: misc: usbio: bound bulk IN response length to the received transfer

[Antti Laakso]

Hi Wei,

Thanks for the patch.

On Wed, Jun 24, 2026 at 06:09:52PM +0900, HE WEI (ギカク) wrote:
> usbio_bulk_msg() copies bpkt_len = le16_to_cpu(bpkt->len) bytes out of
> the bulk IN buffer (usbio->rxbuf, allocated with size usbio->rxbuf_len)
> into the caller's buffer.  bpkt_len is fully controlled by the device
> and is only checked against ibuf_len; ibuf_len in turn is checked
> against usbio->txbuf_len, not against rxbuf_len:
> 
> 	if ((obuf_len > (usbio->txbuf_len - sizeof(*bpkt))) ||
> 	    (ibuf_len > (usbio->txbuf_len - sizeof(*bpkt))))
> 		return -EMSGSIZE;
> 
> txbuf_len and rxbuf_len are taken independently from the bulk OUT and
> bulk IN endpoint wMaxPacketSize in usbio_probe().  A malicious or
> malfunctioning device that advertises a large bulk OUT endpoint and a
> small bulk IN endpoint (e.g. by claiming one of the quirk-free IDs such
> as the Lattice NX33U, 0x2ac1:0x20cb) therefore makes ibuf_len, and
> hence the device-supplied bpkt_len, exceed rxbuf_len.  memcpy() then
> reads up to txbuf_len - rxbuf_len bytes past the end of the rxbuf slab
> object.  The over-read bytes are handed back to the i2c layer and on to
> user space through i2c-dev, disclosing adjacent slab memory; with KASAN
> this is reported as a slab-out-of-bounds read.
> 
> The number of bytes actually received is already known: act equals the
> URB actual_length and is bounded by rxbuf_len.  Reject any response
> that claims more payload than was received, mirroring the existing
> "act < sizeof(*bpkt)" check just above.
> 
> The control path (usbio_ctrl_msg()) is not affected: it uses a single
> buffer (ctrlbuf) for both directions, so its analogous copy can never
> leave the allocation.
> 
> Found by code review.  The out-of-bounds read was confirmed under
> AddressSanitizer with a faithful userspace model of usbio_bulk_msg()'s
> receive path (an rxbuf_len-sized buffer, the same act/ibuf_len/bpkt_len
> checks and the memcpy).  A USB raw-gadget + dummy_hcd reproducer is
> also available.
> 
> Fixes: 121a0f839dbb ("usb: misc: Add Intel USBIO bridge driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: HE WEI (ギカク) <skyexpoc@xxxxxxxxx>

Tested-by: Antti Laakso <antti.laakso@xxxxxxxxxxxxxxx>