Re: [PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint

Next message: Cristian Ciocaltea: "Re: [PATCH v6 04/22] drm/display: scdc_helper: Add HDMI 2.0 scrambling management helpers"
Previous message: Ilpo J&#xE4;rvinen: "Re: [PATCH v3 1/7] platform/x86/amd/hsmp: Add new HSMP messages for Family 1Ah, Model 50h-5Fh"
In reply to: Johan Hovold: "[PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint"
Next in thread: Cen Zhang: "Re: [PATCH] USB: serial: cypress_m8: fix memory corruption with small endpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Fri May 22 2026 - 07:49:25 EST

On Fri, May 22, 2026 at 12:16:21PM +0200, Johan Hovold wrote:
> Make sure that the interrupt-out endpoint max packet size is at least
> eight bytes to avoid user-controlled slab corruption or NULL-pointer
> dereference should a malicious device report a smaller size.
>
> Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
> Cc: stable@xxxxxxxxxxxxxxx # 2.6.26
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> ---
> drivers/usb/serial/cypress_m8.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
> index afff1a0f4298..82ba0900b399 100644
> --- a/drivers/usb/serial/cypress_m8.c
> +++ b/drivers/usb/serial/cypress_m8.c
> @@ -445,6 +445,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
> return -ENODEV;
> }
>
> + /*
> + * The buffer must be large enough for the one or two-byte header (and
> + * following data) but assume anything smaller than eight bytes is
> + * broken.
> + */
> + if (port->interrupt_out_size < 8)
> + return -EINVAL;
> +
> priv = kzalloc_obj(struct cypress_private);
> if (!priv)
> return -ENOMEM;
> --
> 2.53.0
>
>

Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>