Commit b56cc41a authored Jul 26, 2025 by Arnaud Lecomte Committed by Benjamin Tissoires Aug 13, 2025

hid: fix I2C read buffer overflow in raw_event() for mcp2221



As reported by syzbot, mcp2221_raw_event lacked
validation of incoming I2C read data sizes, risking buffer
overflows in mcp->rxbuf during multi-part transfers.
As highlighted in the DS20005565B spec, p44, we have:
"The number of read-back data bytes to follow in this packet:
from 0 to a maximum of 60 bytes of read-back bytes."
This patch enforces we don't exceed this limit.

Reported-by:  <syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346


Tested-by:  <syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com>
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com


Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

parent 9fc51941

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit a4f3a206
· Nov 05, 2025

mentioned in commit a4f3a206

mentioned in commit a4f3a206e57efd703fbc02be9b84af15139ac3ea

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit cb7630e7
· Nov 05, 2025

mentioned in commit cb7630e7

mentioned in commit cb7630e714d692d11de24a3e4b2eb26fd303564d

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 51627f45
· Nov 05, 2025

mentioned in commit 51627f45

mentioned in commit 51627f45b304f2abfd5397ed39b639e70acf09b3

Toggle commit list

Please to comment