[PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint

Next message: Paul Kocialkowski: "[PATCH 00/14] media: Add V4L2 H.264 stateless encode and VC8000E support"
Previous message: Paul Kocialkowski: "[PATCH 13/14] media: verilisicon: imx8m: Add support for the VC8000E on i.MX8MP"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Fri May 22 2026 - 06:23:07 EST

Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.

Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@xxxxxxxxxxxxxxx # 2.6.26
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
drivers/usb/serial/cypress_m8.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index afff1a0f4298..82ba0900b399 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
return -ENODEV;
}

+ /*
+ * The buffer must be large enough for the one or two-byte header (and
+ * following data) but assume anything smaller than eight bytes is
+ * broken.
+ */
+ if (port->interrupt_out_size < 8)
+ return -EINVAL;
+
priv = kzalloc_obj(struct cypress_private);
if (!priv)
return -ENOMEM;
--
2.53.0