From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 8 Oct 2025 05:55:44 +0000 (+0200)
Subject: 6.16-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2560e7d22586e39f55cdd951cb66b7f3e751882b;p=thirdparty%2Fkernel%2Fstable-queue.git

6.16-stable patches

added patches:
	hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch
---

diff --git a/queue-6.16/hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch b/queue-6.16/hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch
new file mode 100644
index 0000000000..d8f9c73f00
--- /dev/null
+++ b/queue-6.16/hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch
@@ -0,0 +1,42 @@
+From b56cc41a3ae7323aa3c6165f93c32e020538b6d2 Mon Sep 17 00:00:00 2001
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+Date: Sat, 26 Jul 2025 23:09:31 +0100
+Subject: hid: fix I2C read buffer overflow in raw_event() for mcp2221
+
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+
+commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 upstream.
+
+As reported by syzbot, mcp2221_raw_event lacked
+validation of incoming I2C read data sizes, risking buffer
+overflows in mcp->rxbuf during multi-part transfers.
+As highlighted in the DS20005565B spec, p44, we have:
+"The number of read-back data bytes to follow in this packet:
+from 0 to a maximum of 60 bytes of read-back bytes."
+This patch enforces we don't exceed this limit.
+
+Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
+Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
+Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
+Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Romain Sioen <romain.sioen@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-mcp2221.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hid/hid-mcp2221.c
++++ b/drivers/hid/hid-mcp2221.c
+@@ -816,6 +816,10 @@ static int mcp2221_raw_event(struct hid_
+ 			}
+ 			if (data[2] == MCP2221_I2C_READ_COMPL ||
+ 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
++				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
++					mcp->status = -EINVAL;
++					break;
++				}
+ 				buf = mcp->rxbuf;
+ 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
+ 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
diff --git a/queue-6.16/series b/queue-6.16/series
index d92164e909..a39e9f2f1c 100644
--- a/queue-6.16/series
+++ b/queue-6.16/series
@@ -25,3 +25,4 @@ iommufd-warn-if-an-object-is-aborted-with-an-elevate.patch
 can-hi311x-fix-null-pointer-dereference-when-resumin.patch
 can-rcar_canfd-fix-controller-mode-setting.patch
 platform-x86-amd-pmc-add-stellaris-slim-gen6-amd-to-.patch
+hid-fix-i2c-read-buffer-overflow-in-raw_event-for-mcp2221.patch