From: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
To: gupt21@gmail.com, jikos@kernel.org, bentiss@kernel.org
Cc: linux-i2c@vger.kernel.org, linux-input@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Subject: [PATCH] HID: mcp2221: validate report size in raw_event handler
Date: Tue, 24 Mar 2026 00:24:03 -0600 [thread overview]
Message-ID: <20260324062403.341855-1-sebasjosue84@gmail.com> (raw)
mcp2221_raw_event() accesses the data buffer at offsets up to 55
without validating the size parameter. Since __hid_input_report()
invokes the driver's raw_event callback before
hid_report_raw_event() performs its own report-size validation, a
device sending a truncated HID report can cause out-of-bounds heap
reads in the kernel.
The most critical access is the memcpy from data[50] into
mcp->adc_values (6 bytes) when CONFIG_IIO is reachable. Other
unchecked accesses include data[20] and a memcpy at data[22].
Additionally, a memcpy with device-controlled length (data[3],
up to 60 bytes) from data[4] does not verify that size is large
enough to cover the copy.
MCP2221 devices use 64-byte HID reports. Add a check at the top of
the handler to reject any report shorter than expected.
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
---
drivers/hid/hid-mcp2221.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index ef3b5c77c..fcac37491 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -851,6 +851,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
u8 *buf;
struct mcp2221 *mcp = hid_get_drvdata(hdev);
+ /* MCP2221 always sends 64-byte reports */
+ if (size < 64)
+ return 0;
+
switch (data[0]) {
case MCP2221_I2C_WR_DATA:
--
2.43.0
next reply other threads:[~2026-03-24 6:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 6:24 Sebastian Josue Alba Vives [this message]
2026-03-24 17:06 ` [PATCH v2] HID: mcp2221: validate report size in raw_event handler Sebastian Josue Alba Vives
2026-04-09 18:33 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260324062403.341855-1-sebasjosue84@gmail.com \
--to=sebasjosue84@gmail.com \
--cc=bentiss@kernel.org \
--cc=gupt21@gmail.com \
--cc=jikos@kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.