From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFEA9225761 for ; Tue, 16 Sep 2025 05:12:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757999578; cv=none; b=jMnvObJhPXD+DSmzWi+17KFgqaKnZbZGpPtAoO/z6fXb73Frip2AtZydCwrF2zMQG4oIudJE4nxGN/mHVx5QbBerKqS0ThtSHEra+lJJ2Kw3kKAqhfcIQ6InaJyf8zm/NWwhqJjew425jg8mqljeeS2sopGcRyOUgUm5aHdZ79U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757999578; c=relaxed/simple; bh=YCagT15TJjexqc1Up8uabF4bbwgjLWA6JZqJVkY1Ick=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=HzFvu4IkhadZQppP1YjiAccuBUo9Bzgm4mVrqjwH4VAOUVskjMK+MHaVr2DVS4HPNj1ktD3l8ZfqGiysxu/9mjU0bgQ9+iHCQrgv18S6LTKhHPt3ES1A6AA2TnGLM0tUGGW7dkwPz5Fq840QXCTC+fwUrkpwxI7YZL+SrEgE1Sg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KQR55g/P; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KQR55g/P" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-2570bf6058aso65775295ad.0 for ; Mon, 15 Sep 2025 22:12:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1757999576; x=1758604376; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cBOq3NZ+rM2h9sy3fGHWYF48a38jqJCkuNGc5MxKF+A=; b=KQR55g/PYuSIISAS7jxtnGLoNdndg3eMpUPmoyws8w/+UF03Ko4NHU1xH87Uip2PiU 22CWkSCTrsv4erP6Z4ejOE+LbUMUrCK9hMqJ//ZYI9dmjHXl9h0iB3/dk7ddNy6fUCpn f6e41vXmEBinMQ3q0bYuOnVuXyVmGEmDoKlKRR9nQIManCQPRTO3qvEp8DSg0HDPOqnz K21e/4cU5vqBZt8Y75vWOs3cvZLh1GEHvCvLrYFsug0j1wxbV3wnLHvJ3sd2TuvHuA2o GFFfYEHfjvbrdHjf8wREO5hmXbxa+zGb8LpnIvmpOSYxgWvSLGulKpgwmwG6oJd/hV5d /fsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757999576; x=1758604376; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cBOq3NZ+rM2h9sy3fGHWYF48a38jqJCkuNGc5MxKF+A=; b=tW8mtiDjVD0FI23PrSyLhZ42iI4csJ+J5SEtb2vziLRnDlHmS3mgXN1yg69/0pCQVK 3NY2Z46sVEW2HgOsTRrR0xCmF+sRmnwcPn7AtjbZW0J3MGY4G+R6f4BtYPsOZ/azTcpy aky2KmZh5k3hy9HOX99dzLDzb8sGFhggqJ+CGqFgefmT6glGgFQyNn7qQRl5QWVFZ6qo G7rdMNPAhwxtjlMlkBqJyatHYit/5bK2/Cm7RluRAJ8clYDu7byDb+piY504iRNhJu0E oW9KS3Kpq+mh6GbwfnOacUW697Vh47uGcjNKPye+bt6CRTZvpTSvOvLErB+TwalOV4UC /jpQ== X-Forwarded-Encrypted: i=1; AJvYcCXniOlGoMaljUPiRyghxwCRqTFTOwnc3UIfNd67/sougy9/REYIFlhMqZ2yClvY/q2nOm6E1RxYaTCXcBiLPLtCNOKKbA==@lists.linux.dev X-Gm-Message-State: AOJu0YzLeIzpz4ftr6mOtO2xkCQfXDGwQ2ELbwEQAHeflCSMt6ugcu4V lZGCk9QW2T8qsFFFXZxdhNine6NtVjSHixqgDk/qchDQzHmfgw60rt5E X-Gm-Gg: ASbGncvCnjPOCYO90aHHBdC27TVVvY21t7gctu0HW1d1t1d+DpUj35NEqyFPRDbM1ic fVAq5lw0swLILYXngLHD2qm39vAuO55ZIQ9rOuPPBwGiaD4ipJ4IKwvh/Vdi4gRq4ZdqelaZdU0 3wvraEO5yehoS75zi0Dvoo1KhTNYgl0svDN4HLXSFqWQA5tapZ0Q6VdTAsXoNkV2IsFAaCWxSLa 129vzfjURtES1OrzYuhacv55IVLTm/yXO2FxfhQf2gROvB2a7kvt5QkfxqFN6zOrL5qP/3CgOHf RHFCGf0kskdOva8+/EgMGvObcUplvOvBMiJdEb/5CsW65FB4Zp9xy1pcyMd7Lg8ekrcIznG+lfS dhEKMqamKO/8JlRFVOCyAbGQIDUK+MBj8lOe4lnM= X-Google-Smtp-Source: AGHT+IE7OBjzV/92I2FhRFhRyz0p6Dc1x8NjHMGdKfNgjrPBrsrB5BEKW/jgDKL3ClaLwqWrxBdTgQ== X-Received: by 2002:a17:903:2f08:b0:24a:f79e:e5eb with SMTP id d9443c01a7336-25d26e455a4mr180824495ad.49.1757999575963; Mon, 15 Sep 2025 22:12:55 -0700 (PDT) Received: from cortexauth ([2402:e280:2313:10b:d917:bfec:531b:9193]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-26295996ff6sm80994095ad.64.2025.09.15.22.12.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Sep 2025 22:12:55 -0700 (PDT) From: Deepak Sharma To: jikos@kernel.org Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, Deepak Sharma , syzbot+7617e19c8a59edfbd879@syzkaller.appspotmail.com Subject: [PATCH v2] HID: cp2112: Add parameter validation to data length Date: Tue, 16 Sep 2025 10:40:55 +0530 Message-ID: <20250916051055.317581-1-deepak.sharma.472935@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel-mentees@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This is v2 for the earlier patch, where a few bounds check were unnecessarily strict. This patch also removes the use of magic numbers Syzkaller reported a stack OOB access in cp2112_write_req caused by lack of parameter validation for the user input in I2C SMBUS ioctl codeflow in the report I2C device drivers are "responsible for checking all the parameters that come from user-space for validity" as specified at Documentation/i2c/dev-interface Add the parameter validation for the data->block[0] to be bounded by I2C_SMBUS_BLOCK_MAX + the additional compatibility padding Reported-by: syzbot+7617e19c8a59edfbd879@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7617e19c8a59edfbd879 Signed-off-by: Deepak Sharma --- drivers/hid/hid-cp2112.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c index 482f62a78c41..13dcd2470d92 100644 --- a/drivers/hid/hid-cp2112.c +++ b/drivers/hid/hid-cp2112.c @@ -689,7 +689,14 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr, count = cp2112_write_read_req(buf, addr, read_length, command, NULL, 0); } else { - count = cp2112_write_req(buf, addr, command, + /* Copy starts from data->block[1] so the length can + * be at max I2C_SMBUS_CLOCK_MAX + 1 + */ + + if (data->block[0] > I2C_SMBUS_BLOCK_MAX + 1) + count = -EINVAL; + else + count = cp2112_write_req(buf, addr, command, data->block + 1, data->block[0]); } @@ -700,7 +707,14 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr, I2C_SMBUS_BLOCK_MAX, command, NULL, 0); } else { - count = cp2112_write_req(buf, addr, command, + /* data_length here is data->block[0] + 1 + * so make sure that the data->block[0] is + * less than or equals I2C_SMBUS_BLOCK_MAX + 1 + */ + if (data->block[0] > I2C_SMBUS_BLOCK_MAX + 1) + count = -EINVAL; + else + count = cp2112_write_req(buf, addr, command, data->block, data->block[0] + 1); } @@ -709,7 +723,14 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr, size = I2C_SMBUS_BLOCK_DATA; read_write = I2C_SMBUS_READ; - count = cp2112_write_read_req(buf, addr, I2C_SMBUS_BLOCK_MAX, + /* data_length is data->block[0] + 1, so + * so data->block[0] should be less than or + * equal to the I2C_SMBUS_BLOCK_MAX + 1 + */ + if (data->block[0] > I2C_SMBUS_BLOCK_MAX + 1) + count = -EINVAL; + else + count = cp2112_write_read_req(buf, addr, I2C_SMBUS_BLOCK_MAX, command, data->block, data->block[0] + 1); break; -- 2.51.0