From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91803288C20;
	Tue,  2 Sep 2025 12:08:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1756814928; cv=none; b=d1gSG2L5qs2p2nNb84bffGD4neETAicMSnIHIRt9XEmQVWHvIhZuZKw6mshtCqzq7DiXDUDTVz87s8Mwuf4SYLeaFDfUx4uug35kguAE38/BeuqeSq2tueC3+NuSGsVbbcayihkTQb8cpOn+tEFJWIcmlRUQVwRVFy7eddvrK+I=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1756814928; c=relaxed/simple;
	bh=z9m46Ui7kqekWI0ueXhEf5xm8P5czmCtUkQnG7PP3yg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=oX0yvecG2NaqCtm2mvUJywB8w/YSvCF54+iTSga4QNTp9z6MBXwZjJa4OU5RvyIpOMJNvdLlLKXth0OP7GK6ux5MJVgzmq5UfpuKflDmhcoWFxkhAuFh4FJp8E16KETFlW/EG2+VoPCrd4ouISmfHnOOn83drib2QzZxgvqmH3Y=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mYRCLF1j; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mYRCLF1j"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3EE79C4CEED;
	Tue,  2 Sep 2025 12:08:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1756814928;
	bh=z9m46Ui7kqekWI0ueXhEf5xm8P5czmCtUkQnG7PP3yg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=mYRCLF1j+/YojfuvLZL7oXtoGVOQWLuUB32mE1aXSJpjwDzu3EisP0befiO4sM9Zm
	 8Qeo+WAeK3YZuYMlQ/GPzAli27W18KDdTWjZHQpafb8JetDo8uT8kmh3NDshWg1Gc1
	 i0xlDy94cAwzgBPw+KDS4J4hRL3MHx5ZEGT3KP87pxyUCOYrajyYmz99w9/PH9pW0F
	 rW2wUTChuzScEqQYQLFpTEFen2DQjrU7z4Ac3K8/hNMGdkbKCXTBoCQcSolmdkKXhr
	 nYslGh9SNf0uJY0zgvb6zCQLCJHFnSYieInZrGBP/M0dpBfLh8CqG/KQs/ArnFwcwo
	 WTe3o46A6wUMg==
From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev,
	stable@vger.kernel.org
Cc: Arnaud Lecomte <contact@arnaud-lcm.com>,
	syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com,
	Benjamin Tissoires <bentiss@kernel.org>,
	Sasha Levin <sashal@kernel.org>,
	gupt21@gmail.com,
	jikos@kernel.org,
	linux-i2c@vger.kernel.org,
	linux-input@vger.kernel.org
Subject: [PATCH AUTOSEL 6.16-6.12] hid: fix I2C read buffer overflow in raw_event() for mcp2221
Date: Tue,  2 Sep 2025 08:08:19 -0400
Message-ID: <20250902120833.1342615-8-sashal@kernel.org>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20250902120833.1342615-1-sashal@kernel.org>
References: <20250902120833.1342615-1-sashal@kernel.org>
Precedence: bulk
X-Mailing-List: patches@lists.linux.dev
List-Id: <patches.lists.linux.dev>
List-Subscribe: <mailto:patches+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:patches+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
X-stable-base: Linux 6.16.4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Arnaud Lecomte <contact@arnaud-lcm.com>

[ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]

As reported by syzbot, mcp2221_raw_event lacked
validation of incoming I2C read data sizes, risking buffer
overflows in mcp->rxbuf during multi-part transfers.
As highlighted in the DS20005565B spec, p44, we have:
"The number of read-back data bytes to follow in this packet:
from 0 to a maximum of 60 bytes of read-back bytes."
This patch enforces we don't exceed this limit.

Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

**Backport Status: YES**

This commit should definitely be backported to stable kernel trees.
Here's my extensive analysis:

## Security Impact Analysis

This is a **critical security vulnerability** - a buffer overflow in the
HID MCP2221 driver that was discovered and reported by syzbot. The
vulnerability occurs in `mcp2221_raw_event()` at line 820 (post-patch)
where the driver performs:

```c
memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
```

Without the fix, `data[3]` (which comes from untrusted USB HID input) is
used directly as the copy length without validation. According to the
hardware specification (DS20005565B, page 44), this value should never
exceed 60 bytes, but the driver wasn't enforcing this limit.

## Vulnerability Details

1. **Attack Vector**: A malicious USB device or compromised MCP2221
   device could send crafted HID reports with `data[3]` > 60, causing:
   - Buffer overflow in `mcp->rxbuf`
   - Potential arbitrary memory corruption
   - Possible privilege escalation or code execution

2. **The Fix**: The patch adds critical bounds checking:
```c
if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
    mcp->status = -EINVAL;
    break;
}
```

This ensures:
- `mcp->rxbuf` is not NULL
- `mcp->rxbuf_idx` is not negative (preventing underflow)
- `data[3]` doesn't exceed the hardware's maximum of 60 bytes

## Stable Backport Criteria Assessment

✅ **Fixes a real bug affecting users**: Yes - security vulnerability
with potential for system compromise
✅ **Small and contained fix**: Yes - only 4 lines added, single
validation check
✅ **No major side effects**: The fix only adds validation, doesn't
change functionality
✅ **No architectural changes**: Simple bounds checking addition
✅ **Critical subsystem impact**: HID subsystem, but localized to one
driver
✅ **Already marked for stable**: The commit shows `[ Upstream commit
b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]` indicating it's already been
selected
✅ **Follows stable rules**: Critical security fix with minimal
regression risk
✅ **Tested by syzbot**: The fix was validated by the same fuzzer that
found the issue

## Additional Context

- The vulnerability was found through systematic fuzzing (syzbot),
  indicating it's reachable through normal USB HID operations
- The MCP2221 is a USB-to-I2C/UART converter chip commonly used in
  embedded systems and development boards
- Without this fix, any system with an MCP2221 device (or emulated
  device) is vulnerable to memory corruption attacks
- The fix is already upstream (commit
  b56cc41a3ae7323aa3c6165f93c32e020538b6d2) and has been tested

This is a textbook example of what should be backported to stable: a
simple, well-tested security fix that prevents a serious vulnerability
without introducing new features or complexity.

 drivers/hid/hid-mcp2221.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 6c0ac14f11a6a..2cfc8e1a2912d 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -816,6 +816,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
 			}
 			if (data[2] == MCP2221_I2C_READ_COMPL ||
 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
+				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+					mcp->status = -EINVAL;
+					break;
+				}
 				buf = mcp->rxbuf;
 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
-- 
2.50.1