Commit b56cc41a authored Jul 26, 2025 by Arnaud Lecomte Committed by Benjamin Tissoires Aug 13, 2025

hid: fix I2C read buffer overflow in raw_event() for mcp2221



As reported by syzbot, mcp2221_raw_event lacked
validation of incoming I2C read data sizes, risking buffer
overflows in mcp->rxbuf during multi-part transfers.
As highlighted in the DS20005565B spec, p44, we have:
"The number of read-back data bytes to follow in this packet:
from 0 to a maximum of 60 bytes of read-back bytes."
This patch enforces we don't exceed this limit.

Reported-by:  <syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346


Tested-by:  <syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com>
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com


Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

parent 9fc51941

drivers/hid/hid-mcp2221.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -906,6 +906,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
		}
		if (data[2] == MCP2221_I2C_READ_COMPL \|\|
		data[2] == MCP2221_I2C_READ_PARTIAL) {
		if (!mcp->rxbuf \|\| mcp->rxbuf_idx < 0 \|\| data[3] > 60) {
		mcp->status = -EINVAL;
		break;
		}
		buf = mcp->rxbuf;
		memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
		mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];