hid: fix I2C read buffer overflow in raw_event() for mcp2221 - kernel/linux.git

diff options

author	Arnaud Lecomte <contact@arnaud-lcm.com>	2025-07-27 01:09:31 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-10-12 13:57:18 +0300
commit	4827bd6548e0f143868261f79077fd4b096bfcf8 (patch)
tree	aac4efe8e1ca34adad4c5d2cdd747e0f18888dbf /scripts/gdb/linux/xarray.py
parent	647d6b8d22be12842fde6ed0c56859ebc615f21e (diff)
download	linux-4827bd6548e0f143868261f79077fd4b096bfcf8.tar.xz

hid: fix I2C read buffer overflow in raw_event() for mcp2221

commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 upstream. As reported by syzbot, mcp2221_raw_event lacked validation of incoming I2C read data sizes, risking buffer overflows in mcp->rxbuf during multi-part transfers. As highlighted in the DS20005565B spec, p44, we have: "The number of read-back data bytes to follow in this packet: from 0 to a maximum of 60 bytes of read-back bytes." This patch enforces we don't exceed this limit. Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Romain Sioen <romain.sioen@microchip.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'scripts/gdb/linux/xarray.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: