git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Zhang Cen <rollkingzzc@gmail.com>
	Fri, 22 May 2026 14:54:42 +0000 (22:54 +0800)
committer	Johan Hovold <johan@kernel.org>
	Sat, 23 May 2026 07:35:26 +0000 (09:35 +0200)
commit	9f9bfc80c67f35a275820da7e83a35dface08281
tree	d82853bc4b79f5ccfd588c0415059bc57caeafe0	tree \| snapshot
parent	438061ed1ad85e6743e2dce826671772d81089ec	commit \| diff

USB: serial: cypress_m8: validate interrupt packet headers

cypress_read_int_callback() parses the interrupt-in buffer according to
the selected Cypress packet format. Format 1 has a two-byte status/count
header and format 2 has a one-byte combined status/count header. The
usb-serial core sizes the interrupt-in buffer from the endpoint
descriptor's wMaxPacketSize, and successful interrupt transfers can
complete short when URB_SHORT_NOT_OK is not set.

Check that the completed packet contains the selected header before
reading it. Malformed short reports are ignored and the interrupt URB is
resubmitted through the existing retry path, preventing out-of-bounds
header-byte reads.

KASAN report as below:
KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
Read of size 1
Call trace:
  cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
  __usb_hcd_giveback_urb()
  dummy_timer()

Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
[ johan: use constants in header length sanity checks ]
Signed-off-by: Johan Hovold <johan@kernel.org>