From nobody Wed Jun 24 19:39:51 2026 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C86D3B27CD for ; Mon, 8 Jun 2026 09:09:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780909800; cv=none; b=cD4mf++HqwjGnofq0wcJH7bcm8LECB9H5UmE9euPxLpDUWtiS4E2YMfFTLOr57/x6xzefSUqkgvCWM8Lmz0DKt7Ck9XH/O3DO+zmVLMGWCWOlsWHjeDSfPbX/uKOan4NDmLeYuU+PkAO7iQTLwIGfYDkOCURCTo8+9hwBhsHAvs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780909800; c=relaxed/simple; bh=XE93PARpsFUC8Fu5iBpHVIPInN7GAPqYBflYnDxSCcg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nxQtFChNyYMzsJXX0/CtD2LGlXY571rW4erXhASFpBAHSYVJ4dEFsp6c7i0qFhIfrulDL8XHKT7VJKW2HGVXHK/WDEesbYworBJ/bw09OogBaBA+cP7DnaY5+cUKwaxhJQZy/AW87Zv7auJFGA695MNNRzXEheI1MM8dyag6Zg4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hXU5LmdZ; arc=none smtp.client-ip=209.85.215.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hXU5LmdZ" Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-c85b2139015so1289589a12.2 for ; Mon, 08 Jun 2026 02:09:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780909799; x=1781514599; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ssI6ZEk3gw66VAN5mRRaeGUv1dLfHJJ6NdyjMb06HLE=; b=hXU5LmdZYyiDEn+bjDyaKZmC2hK/FAc53r4Jb43vlhwESd34WxcGddTg32qDUYEwxj DX8PKxbfQlHwqZzWtm6H3ltvpmSA/UlkkqwT0xsDMt5V7gVAyP1gnSqMO4e1nx5iy6Q9 ZARYUt05WzK1GhtUbAw8g/6FIrOA/c6vzy5XGPWoPfMPOapxDGcAAKtSDa59tfRPL9GV QAtm2WRc4fRtbDB60Ec7UqbGds3T/LsT0HUoMrqRJ4IHiAIgI9RZrewutX9SSV+HZTkB sZImkn+kfrye/Hb7lm6nQeGinZ8e/yyvUouCNjinZK+hLDQHplnoAchYEvun8dKprflF q/xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780909799; x=1781514599; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ssI6ZEk3gw66VAN5mRRaeGUv1dLfHJJ6NdyjMb06HLE=; b=ayMz6k8sOd6FjhzeYm1Hpm6T4biBy2R7LS2JNlFy4TztvBvbNBg9CbybxECB7VJWrG kfSEnRdJUc4HpXfrif/pyf8xKukBbvbSGd0iaAQd82rYjw4UBkabRLGa7SHVNEoFcx0e xK6lMg8A4iiFI7FHy8ciP7PEL36vRo2RftKo5XCFItj9QSktPsERO+TwBM2GzWvXrcEl 17TtoIZfAuja0QHMiATPzT5vr7W6CiN3JwSRscTzScgxBt/71jCTvJTs9F6XOO79oI1V lheyG1jdnG8jydO3KRjpeL734VSVI5YBzksoFO6NWCJm5E4Sye2drPQiUnoctNTkQnTL ciVA== X-Forwarded-Encrypted: i=1; AFNElJ8z034FT7f1E7EFCUL9YQ188mkIAhnCauMIb6q5PwU1UUZZ/2ClQga5cqPHKHwqWFu6KcgS2K/TBKBWWHw=@vger.kernel.org X-Gm-Message-State: AOJu0YzWaA1bdoedzgHpbZkM2kqbQQDFUoGBK+fS+at/YSy5PZ/hspcs 3ajZWYAczokauVsLIueSN/0aqHQJkt9dfZWNujvAitQdDu0s13WpP470 X-Gm-Gg: Acq92OH5pZPPVRjdXirbnYsNag6/Wj2IvZnIF4FZegyVGhB3nq0UO0UZr1lu3Zc+xzP LlgJIRU/0c5037+VuDHTsRI64pP6Ofy7JutJ75lVAknEPsb3TtsHZVnF7RkhnDO1MVE/hDG4s35 9HRLmZPwNVqdRihI/x5HYGSQtRRLtX2zr9OdLN6bwhUeeYyjO9VCHbivXPhLJn/8GRYFazVxU8U oZalV1saWb2NIukoG6mlx9Grvu3p8NVZ7ANsvo3RqHbWqs/GBuV9RkrQxqBtf9hudF9l1P+OwLP Met33Mgvyt8Mfb/6FMYSwXdo3E9sW3AeFPoT4nrnJvD9x6WmMr0SFiH+kzwQMPSaOEEX13FQDGm T8nPTkvJr5n9xVYjD6XcU9rNuMe41R28aBQkBCjloEHDDiGfyjCCFYt0645Z0g7Ja6RE4Q1b+sE y1Pz7w/LaydWmBdvrNcIAL+zM5VZm/ma+9hsY5oOocQELy8K17BvQZL3vTPa72Dy+x4t56YHrg7 1LaM+hI67Tq9hV6MFrsALCd6Jo= X-Received: by 2002:a17:90b:53c6:b0:369:a359:b181 with SMTP id 98e67ed59e1d1-370f162420amr16555954a91.23.1780909798820; Mon, 08 Jun 2026 02:09:58 -0700 (PDT) Received: from nugod-NUC15CRHU5.tail9f095a.ts.net ([218.237.104.87]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36f70a29cd6sm15147098a91.11.2026.06.08.02.09.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jun 2026 02:09:58 -0700 (PDT) From: HyeongJun An To: Johan Hovold , Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, HyeongJun An Subject: [PATCH v2] USB: serial: kl5kusb105: fix bulk-out buffer overflow Date: Mon, 8 Jun 2026 18:09:26 +0900 Message-ID: <20260608090926.10506-1-sammiee5311@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260607095114.9375-1-sammiee5311@gmail.com> References: <20260607095114.9375-1-sammiee5311@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" klsi_105_prepare_write_buffer() is called by the generic write path with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It stores a two-byte length header at the start of the buffer and copies the payload from the write fifo starting at buf + KLSI_HDR_LEN, but passes the full buffer size as the number of bytes to copy: count =3D kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, &port->lock); When the fifo holds at least size bytes, size bytes are copied starting two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for the header as safe_serial already does. Writing bulk_out_size or more bytes to the tty triggers a slab out-of-bounds write, observed with KASAN by emulating the device with dummy_hcd and raw-gadget: BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 Write of size 64 at addr ffff888112c62202 by task python3 kfifo_copy_out klsi_105_prepare_write_buffer [kl5kusb105] usb_serial_generic_write_start [usbserial] Allocated by task 139: usb_serial_probe [usbserial] The buggy address is located 2 bytes inside of allocated 64-byte region The out-of-bounds write no longer occurs with this change applied. Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-8 Signed-off-by: HyeongJun An --- v2: - Add Assisted-by tag as requested by Johan. drivers/usb/serial/kl5kusb105.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb10= 5.c index ed8531a64768..e72a0b45a707 100644 --- a/drivers/usb/serial/kl5kusb105.c +++ b/drivers/usb/serial/kl5kusb105.c @@ -330,8 +330,8 @@ static int klsi_105_prepare_write_buffer(struct usb_ser= ial_port *port, unsigned char *buf =3D dest; int count; =20 - count =3D kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, - &port->lock); + count =3D kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, + size - KLSI_HDR_LEN, &port->lock); put_unaligned_le16(count, buf); =20 return count + KLSI_HDR_LEN; --=20 2.43.0