1. Patchew
  2. linux
  3. View series

[PATCH] USB: serial: mxuport: fix memory corruption with small endpoint

Johan Hovold posted 1 patch 2 days, 5 hours ago 
drivers/usb/serial/mxuport.c | 8 ++++++++
1 file changed, 8 insertions(+)
[PATCH] USB: serial: mxuport: fix memory corruption with small endpoint
Posted by Johan Hovold 2 days, 5 hours ago 
Make sure that the bulk-out endpoint max packet size is at least eight
bytes to avoid user-controlled slab corruption should a malicious device
report a smaller size.

Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
Cc: stable@vger.kernel.org	# 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/usb/serial/mxuport.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/usb/serial/mxuport.c b/drivers/usb/serial/mxuport.c
index ad5fdf55a02e..c9b9928c473a 100644
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct usb_serial *serial,
 	 */
 	BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
 
+	/*
+	 * The bulk-out buffers must be large enough for the four-byte header
+	 * (and following data), but assume anything smaller than eight bytes
+	 * is broken.
+	 */
+	if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
+		return -EINVAL;
+
 	for (i = 1; i < num_ports; ++i)
 		epds->bulk_out[i] = epds->bulk_out[0];
 
-- 
2.53.0
Re: [PATCH] USB: serial: mxuport: fix memory corruption with small endpoint
Posted by Greg Kroah-Hartman 1 day, 13 hours ago 
On Fri, May 22, 2026 at 04:19:50PM +0200, Johan Hovold wrote:
> Make sure that the bulk-out endpoint max packet size is at least eight
> bytes to avoid user-controlled slab corruption should a malicious device
> report a smaller size.
> 
> Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
> Cc: stable@vger.kernel.org	# 3.14
> Cc: Andrew Lunn <andrew@lunn.ch>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
>  drivers/usb/serial/mxuport.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/usb/serial/mxuport.c b/drivers/usb/serial/mxuport.c
> index ad5fdf55a02e..c9b9928c473a 100644
> --- a/drivers/usb/serial/mxuport.c
> +++ b/drivers/usb/serial/mxuport.c
> @@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct usb_serial *serial,
>  	 */
>  	BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
>  
> +	/*
> +	 * The bulk-out buffers must be large enough for the four-byte header
> +	 * (and following data), but assume anything smaller than eight bytes
> +	 * is broken.
> +	 */
> +	if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
> +		return -EINVAL;
> +
>  	for (i = 1; i < num_ports; ++i)
>  		epds->bulk_out[i] = epds->bulk_out[0];
>  
> -- 
> 2.53.0
>

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.