1. Patchew
  2. linux
  3. View series

[PATCH v3 0/2] usb: usbtmc: add sanity checks for interrupt endpoints

Heitor Alves de Siqueira posted 2 patches 1 month, 1 week ago 
drivers/usb/class/usbtmc.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
[PATCH v3 0/2] usb: usbtmc: add sanity checks for interrupt endpoints
Posted by Heitor Alves de Siqueira 1 month, 1 week ago 
Dear maintainers,

This is a v3 patch for an out-of-bounds read originally reported by
syzbot in [0]. After discussion, I've split the original fix into two
separate patches.

The first patch is a more conservative check against each URB in the
usbtmc_interrupt() path, to ensure enough data was transferred to
include the necessary payload headers. I've tagged this one for stable,
as it shouldn't impact existing devices besides fixing the out-of-bounds
read. Devices that eventually raise problematic interrupt notifications
will be able to try again once the URB is resubmitted.

The second patch is more strict, as it rejects devices that advertise
interrupt endpoints with wMaxPacketSize below 2 bytes. This approach was
suggested during v1 of this series, as these devices are unlikely to
exist and won't work properly with the current usbtmc driver. This
approach is also more aligned with the intent of the USB488 spec, as
interrupt endpoints should ideally be setup with enough space for
the payload headers.
While the first patch is sufficient to fix the out-of-bounds read, there
seems to be little point in having those interrupt endpoints configured
if the driver will ignore all URBs from it.

[0] https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2

---
Changes in v3:
- Split into two patches:
  - actual_length check in usbtmc_interrupt() for the syzbot fix
  - wMaxPacketSize check in usbtmc_probe() to reject quirky devices
- Link to v2: https://patch.msgid.link/20260423-usbtmc-iin-size-v2-1-31afa4874f71@igalia.com

Changes in v2:
- Instead of ensuring buffer size, reject devices that advertise illegal/invalid interrupt endpoints
- Link to v1: https://patch.msgid.link/20260422-usbtmc-iin-size-v1-1-5dc44b4389aa@igalia.com

---
Heitor Alves de Siqueira (2):
      usb: usbtmc: check URB actual_length for interrupt-IN notifications
      usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize

 drivers/usb/class/usbtmc.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
---
base-commit: 70c8a7ec6715b5fb14e501731b5b9210a16684f7
change-id: 20260422-usbtmc-iin-size-f1aaf04a6c4c

Best regards,
--  
Heitor Alves de Siqueira <halves@igalia.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.