superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/usb/serial
History
Zhang Cen 9f9bfc80c6 USB: serial: cypress_m8: validate interrupt packet headers 
cypress_read_int_callback() parses the interrupt-in buffer according to
the selected Cypress packet format. Format 1 has a two-byte status/count
header and format 2 has a one-byte combined status/count header. The
usb-serial core sizes the interrupt-in buffer from the endpoint
descriptor's wMaxPacketSize, and successful interrupt transfers can
complete short when URB_SHORT_NOT_OK is not set.

Check that the completed packet contains the selected header before
reading it. Malformed short reports are ignored and the interrupt URB is
resubmitted through the existing retry path, preventing out-of-bounds
header-byte reads.

KASAN report as below:
KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
Read of size 1
Call trace:
  cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
  __usb_hcd_giveback_urb()
  dummy_timer()

Fixes: 3416eaa1f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Fixes: 3416eaa1f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org	# 2.6.26
[ johan: use constants in header length sanity checks ]
Signed-off-by: Johan Hovold <johan@kernel.org>
 		2026-05-23 09:35:26 +02:00
..
Kconfig
Makefile
Makefile-keyspan_pda_fw
aircable.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ark3116.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
belkin_sa.c USB: serial: belkin_sa: validate interrupt status length 2026-05-20 16:22:46 +02:00
belkin_sa.h
bus.c USB: serial: bus: fix const issue in usb_serial_device_match() 2025-05-21 17:01:37 +02:00
ch341.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
console.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cp210x.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cyberjack.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cypress_m8.c USB: serial: cypress_m8: validate interrupt packet headers 2026-05-23 09:35:26 +02:00
cypress_m8.h
digi_acceleport.c USB: serial: digi_acceleport: fix memory corruption with small endpoints 2026-05-20 16:26:22 +02:00
empeg.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
ezusb_convert.pl
f81232.c USB: serial: f81232: fix incomplete serial port generation 2026-01-13 15:59:07 +01:00
f81534.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
ftdi_sio.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ftdi_sio.h
ftdi_sio_ids.h USB: serial: ftdi_sio: add support for PICAXE AXE027 cable 2026-01-13 14:08:46 +01:00
garmin_gps.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
generic.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
io_16654.h
io_edgeport.c USB: serial: io_edgeport: add support for Blackbox IC135A 2026-03-17 15:28:14 +01:00
io_edgeport.h
io_ionsp.h
io_ti.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
io_ti.h
io_usbvend.h USB: serial: io_edgeport: add support for Blackbox IC135A 2026-03-17 15:28:14 +01:00
ipaq.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
ipw.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ir-usb.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
iuu_phoenix.c USB: serial: iuu_phoenix: fix iuutool author name 2026-04-08 09:37:43 +02:00
iuu_phoenix.h
keyspan.c USB: serial: keyspan: fix missing indat transfer sanity check 2026-05-20 16:26:48 +02:00
keyspan_pda.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
keyspan_usa26msg.h
keyspan_usa28msg.h
keyspan_usa49msg.h
keyspan_usa67msg.h
keyspan_usa90msg.h
kl5kusb105.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
kl5kusb105.h
kobil_sct.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
kobil_sct.h
mct_u232.c USB: serial: mct_u232: fix missing interrupt-in transfer sanity check 2026-05-20 16:27:10 +02:00
mct_u232.h
metro-usb.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
mos7720.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
mos7840.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
mxuport.c USB: serial: mxuport: fix memory corruption with small endpoint 2026-05-23 09:07:18 +02:00
navman.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
omninet.c USB: serial: omninet: fix memory corruption with small endpoint 2026-05-23 09:07:30 +02:00
opticon.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
option.c USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL 2026-05-21 09:53:59 +02:00
oti6858.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
oti6858.h
pl2303.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pl2303.h USB: serial: pl2303: add device id for Macrosilicon MS3020 2024-09-06 17:11:13 +02:00
qcaux.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
qcserial.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
quatech2.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
safe_serial.c USB: serial: safe_serial: fix memory corruption with small endpoint 2026-05-23 09:07:36 +02:00
sierra.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
spcp8x5.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ssu100.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
symbolserial.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ti_usb_3410_5052.c USB: serial: ti_usb_3410_5052: use strscpy() instead of strcpy() 2026-03-17 15:35:07 +01:00
upd78f0730.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
usb-serial-simple.c USB: serial: simple: add OWON HDS200 series oscilloscope support 2025-04-16 08:38:22 +02:00
usb-serial.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
usb-wwan.h
usb_debug.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
usb_wwan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
visor.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
visor.h
whiteheat.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
whiteheat.h
wishbone-serial.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00
xr_serial.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xsens_mt.c USB: serial: drop driver owner initialization 2024-08-26 15:28:25 +02:00