git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Arnaud Lecomte <contact@arnaud-lcm.com>
	Sat, 26 Jul 2025 22:09:31 +0000 (23:09 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 15 Oct 2025 09:56:24 +0000 (11:56 +0200)
commit	a4f3a206e57efd703fbc02be9b84af15139ac3ea
tree	0838b7a6dbe1eb9e52fe75b00f646486ee969f66	tree
parent	c6a3c6693f145c8cddfc6b3624d59152358823e2	commit \| diff

hid: fix I2C read buffer overflow in raw_event() for mcp2221

commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 upstream.

As reported by syzbot, mcp2221_raw_event lacked
validation of incoming I2C read data sizes, risking buffer
overflows in mcp->rxbuf during multi-part transfers.
As highlighted in the DS20005565B spec, p44, we have:
"The number of read-back data bytes to follow in this packet:
from 0 to a maximum of 60 bytes of read-back bytes."
This patch enforces we don't exceed this limit.

Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Romain Sioen <romain.sioen@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>