From nobody Sat Jun 20 05:53:06 2026 Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CB7315746F for ; Sun, 19 Apr 2026 16:04:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776614657; cv=none; b=HIQJH6C5A43bA65ajrkoRtGaRQJNZnrLVqvmi+yCQluRZPBn5kSNTV33//e2Ya4NYl3tOq3YukOsib6IRfzGWvwE/W6Mdk6veXM80ZsksE4h4lSSMlwQ9N/q68uCOYAE8hGb191IiOICJXQlabb9EXKoSgU7FPL7WfVwzgayoA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776614657; c=relaxed/simple; bh=bP8LUWuUeYaqGTwTGXSI6nG6WAM/PWKWYxSSXFoIbj8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IvSvw2MzdczC7L1Y0jWv0SLVK240C+J/lR6GKDK1TI4IexPcw55nWUD340ns/MVcDqAn9e9eL4m/PcRiDW8EKxgPg3KAXql4r/6y1HQH7Pbi1xftcexfDj8g6FAHH7AOKiLpCZ27NCdZv3Wh30ulVVdv375Vsf+S7/TqABSH+74= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R9bTlzR8; arc=none smtp.client-ip=209.85.222.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R9bTlzR8" Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-8cbc593a67aso208606485a.2 for ; Sun, 19 Apr 2026 09:04:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776614655; x=1777219455; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RzC9+frMZLDuxuZiYMTZZFagyuqva6ZS5iE7927OW88=; b=R9bTlzR8liltQukpSV/Y5fR/U58848Isj+toJtS7WSTGVTcpJZQCvsU9Aqi05R2ejo tN+ejosGkavDTpQcycKKbeM+TykJRkbZy/hsXnNMblxl+XrSj7JPags6R7Qw1Pv2i0cq LbudjT6535Xgz2slopnfvtLaoCvSuU6anZdTEdg8Xo1t9nO1OdQt1tljzLrtp3HIw/0e CThZN0BPSl16UZUg7SgEjlcXEdDF2mdyGbrPwwyp45qvasje7h+b+68OzrqSvgGbj14f dFMQD98AyE+aFx1Uc9QnS+rJClfrfzfL/SRBvDq9+Ebt1cmPZ0yTEEciCBFOd2lEUjdf hv3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776614655; x=1777219455; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RzC9+frMZLDuxuZiYMTZZFagyuqva6ZS5iE7927OW88=; b=eqoEAiXkoL4+Y6GrjF9Jc++bvW5qBk0ZGn2EMWZGBREmcZfawQ/3VKn3AXkZnTp69b QVZM/zXVAxhfJ/rRaJmHaN2hq0JUxyFutrD/01rB/OzHCdykvWy9T8itF7gtDeg0g/K1 L1bDg3C0JiLLbuNNCk5NKpRUfsEjTUp6vcaZxMlp5tClAOdwX0Cf+00Gjg8YE086xlow 0AW04R+LYCIlMZWuZY+Ffdb/FzkyCWEP7gDoSVMThR1lOhU1UwXuhZ01CLEFopRsW8PB fefHIAAFV/dDCmV/XMjBqQY+u3ExSnjP/VdpYzaKilIOusm6KjtPwkJRCtmBXcdhoIvY 8WVA== X-Forwarded-Encrypted: i=1; AFNElJ9IBT0mjQx9brgpi9gnQKdoBvGGYIsXoZYMhc9ucXHM4e/kCteMa37z/NgCafhlrMpBpvcMFfMdQonVAcw=@vger.kernel.org X-Gm-Message-State: AOJu0YyUnxeDNuykgI7FTPELbh2cd80vC2InM1/MJu8oz6IoL+xsAohe x0xjGlTPxxdFrEZg91tg+zLOHIO9XkDbVL0FzJRRgodWWIDOqszP2Lcp X-Gm-Gg: AeBDiesHNNeMZMoMxAmAneiZgVAoNpbed5IrZR8OD1Lam3QqLccRf74E4U2KeUM03yA YmDt+OUt3GnbXDSqUeEv8XttdRsyLissQTzShgmWQRV5RnfNvK2tYA5msHiq18ClXVlZDsV8DAu mHLZ4hfa8IPcsVlVO0smpgXK+rk95MgzPhUvgMlxNYUDbHQBVo7sRYjllvxKEg2rFPXtLXxVnM0 5+CYDm+2eMkQxaX0FgQkqnVZ/21D6Fmw6zdAYlpeKZtpoicc49dM+29y4SCQZWl4KhSe//pHpWA pqx8uQ9ryyzrS4P094zWUjbZd5s3RV3R5dg7J9Cy7l860JTdU5UCw6Zh1Q+M8oJcsanw3A9ib6z 1krN5vjCYeo5gCCTtQHlz9Z879hZ1TV8tFQ079XV4p8MYGt95u6RSeYYLgRe3RjTCJQvBUkN1zP Hrs6Y4aL2YfyLgfLgy4GvpnRlyD/zvw2fkbuYfstxFmqBuV5qCYKr+3ZrsUBVmnYBqf1x8Wi+ak IRwver9nvRXJwPd2CUitWB0V6fsMCc= X-Received: by 2002:a05:620a:17a0:b0:8da:e62d:888f with SMTP id af79cd13be357-8e792567177mr1377997185a.53.1776614655232; Sun, 19 Apr 2026 09:04:15 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8eb19632130sm53333485a.41.2026.04.19.09.04.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Apr 2026 09:04:14 -0700 (PDT) From: Michael Bommarito To: Greg Kroah-Hartman Cc: Al Viro , Sam Day , Christian Brauner , Ingo Rohloff , Michal Nazarewicz , Kees Cook , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] usb: gadget: f_fs: copy only received bytes on short ep0 read Date: Sun, 19 Apr 2026 12:03:59 -0400 Message-ID: <20260419160359.1577270-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ffs_ep0_read() allocates its control-OUT data buffer with kmalloc() (not kzalloc) at the Length value from the Setup packet, then copies that full len to userspace regardless of how many bytes were actually received: data =3D kmalloc(len, GFP_KERNEL); ... ret =3D __ffs_ep0_queue_wait(ffs, data, len); if ((ret > 0) && (copy_to_user(buf, data, len))) ret =3D -EFAULT; __ffs_ep0_queue_wait() returns req->actual, which on a short control OUT transfer is strictly less than len. The copy_to_user() call still copies len bytes, so on a short OUT the last (len - ret) bytes of the kmalloc() buffer -- uninitialised slab residue -- are delivered to the FunctionFS daemon. Short ep0 OUT completions are specified USB control-transfer behavior and are produced by in-tree UDCs: * dwc2 continues on req->actual < req->length for ep0 DATA OUT (short-not-ok is the only ep0-OUT stall path). * aspeed_udc ends ep0 OUT on rx_len < ep->ep.maxpacket. * renesas_usbf logs "ep0 short packet" and completes the request. * dwc3 stalls on short IN but not on short OUT. A short ep0 OUT is therefore not evidence of a broken UDC; it is a normal condition f_fs has to cope with. The sibling gadgetfs implementation in drivers/usb/gadget/legacy/inode.c already does this correctly via min(len, dev->req->actual) before copy_to_user(). This patch brings f_fs.c to the same safe pattern rather than trimming at a defensive layer. The bug is reached from the FunctionFS device node, which in real deployments is owned by the privileged gadget daemon (adbd, UMS, composite gadget services, etc.); it is not reachable from unprivileged userspace. Linux host stacks normally reject short-wLength control OUTs before they reach the gadget, so reproducing this required a build that bypasses that host-side check. With the bypass in place, a 1-byte payload on a 64-byte Setup produces 63 bytes of non-canary slab residue in the daemon's read buffer. Fix by copying only ret (actually received) bytes to userspace. Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/functi= on/f_fs.c index 002c3441bea3..815639506520 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -619,7 +619,7 @@ static ssize_t ffs_ep0_read(struct file *file, char __u= ser *buf, =20 /* unlocks spinlock */ ret =3D __ffs_ep0_queue_wait(ffs, data, len); - if ((ret > 0) && (copy_to_user(buf, data, len))) + if ((ret > 0) && (copy_to_user(buf, data, ret))) ret =3D -EFAULT; goto done_mutex; =20 --=20 2.53.0