From: Wolfram Sang <wsa+renesas@sang-engineering.com>
To: Edward Adam Davis <eadavis@qq.com>
Cc: syzbot+64ca69977b37604cd6d9@syzkaller.appspotmail.com,
bentiss@kernel.org, jikos@kernel.org, linux-i2c@vger.kernel.org,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
michael.zaidman@gmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] i2c: add sanity check for input SMBus data length
Date: Tue, 19 May 2026 11:43:46 +0200 [thread overview]
Message-ID: <agww0q1p3VZ5h9iv@shikoro> (raw)
In-Reply-To: <tencent_9443A8C45A37693763A6D7D3658367896405@qq.com>
[-- Attachment #1: Type: text/plain, Size: 1858 bytes --]
Hi,
thanks for your patch!
On Tue, Jan 20, 2026 at 09:47:02PM +0800, Edward Adam Davis wrote:
> The value passed to block[0] in the user-constructed data is too large,
> exceeding the length that data for SMBus messages can accommodate. This
> triggered the out-of-bounds access reported by syzbot [1].
>
> Adding relevant data size checks in the smbus ioctl can prevent this
> out-of-bounds access.
>
> [1]
> BUG: KASAN: stack-out-of-bounds in ft260_smbus_write+0x19b/0x2f0 drivers/hid/hid-ft260.c:486
> Read of size 42 at addr ffffc90003427d81 by task syz.2.65/6119
> Call Trace:
> ft260_smbus_write+0x19b/0x2f0 drivers/hid/hid-ft260.c:486
> ft260_smbus_xfer+0x22c/0x640 drivers/hid/hid-ft260.c:736
>
Did you look for a suitable Fixes tag?
> Reported-by: syzbot+64ca69977b37604cd6d9@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=64ca69977b37604cd6d9
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/i2c/i2c-dev.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
> index e9577f920286..6725a49d6921 100644
> --- a/drivers/i2c/i2c-dev.c
> +++ b/drivers/i2c/i2c-dev.c
> @@ -378,6 +378,14 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
> (read_write == I2C_SMBUS_WRITE)) {
> if (copy_from_user(&temp, data, datasize))
> return -EFAULT;
> +
> + if (temp.block[0] > datasize) {
> + dev_dbg(&client->adapter->dev,
> + "user input data size (%u) is too big "
> + "in ioctl I2C_SMBUS.\n",
Strings stay in one line, please, even if they break the line length.
> + temp.block[0]);
> + return -EINVAL;
> + }
> }
> if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
> /* Convert old I2C block commands to the new
Happy hacking,
Wolfram
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2026-05-19 9:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 2:52 [syzbot] [input?] KASAN: stack-out-of-bounds Read in ft260_smbus_write syzbot
2026-01-20 13:47 ` [PATCH] i2c: add sanity check for input SMBus data length Edward Adam Davis
2026-05-19 9:43 ` Wolfram Sang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agww0q1p3VZ5h9iv@shikoro \
--to=wsa+renesas@sang-engineering.com \
--cc=bentiss@kernel.org \
--cc=eadavis@qq.com \
--cc=jikos@kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.zaidman@gmail.com \
--cc=syzbot+64ca69977b37604cd6d9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox