Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length

Next message: Akash Sukhavasi: "[PATCH 1/2] dt-bindings: usb: richtek,rt1711h: remove deprecated .txt file"
Previous message: Alex Deucher: "Re: [PATCH 2/2] drm/amdgpu: Replace use of system_unbound_wq with system_dfl_wq"
In reply to: Cen Zhang: "Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length"
Next in thread: Cen Zhang: "Re: [PATCH] USB: serial: belkin_sa: validate interrupt status length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Mon May 18 2026 - 10:38:22 EST

On Mon, May 18, 2026 at 09:39:49PM +0800, Cen Zhang wrote:

> On Mon, May 18, 2026 at 01:07:05PM +0200, Johan Hovold wrote:
>
> > How was this issue found? Are you using some kind of static checker or
> > LLM?
>
> The initial lead came from an LLM-assisted local audit, not from a
> dedicated static checker. I then checked this path manually and validated
> the issue under KASAN with a small dummy_hcd/raw_gadget setup.
>
> The reproducer emulates a Belkin 050d:0103-compatible device with one
> interrupt-in endpoint whose wMaxPacketSize is 3. After belkin_sa bound and
> ttyUSB0 was opened once, the raw_gadget side completed 3-byte interrupt
> packets.
>
> The relevant part of the KASAN report as below:
>
> BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback+0xd3/0x290
> Read of size 1 at addr ffff8881029d2c43

Nice work. But please mention that this found with the help of an LLM in
the commit message as documented in:

- Documentation/process/submitting-patches.rst ("Using Assisted-by:")
- Documentation/process/coding-assistants.rst

> > You only need to verify urb->actual_length here (as actual_length <=
> > transfer_buffer_length).
>
> Agreed, thanks for pointing this out. I will send a v2 with the check
> reduced to:
>
> if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
> goto exit;
>
> and update the commit message accordingly.

Sounds good, thanks.

Johan