From: Greg KH <gregkh@linuxfoundation.org>
To: "Lecomte, Arnaud" <contact@arnaud-lcm.com>
Cc: Romain Sioen <romain.sioen@microchip.com>,
stable@vger.kernel.org, jikos@kernel.org,
syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Subject: Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
Date: Tue, 7 Oct 2025 17:26:38 +0200 [thread overview]
Message-ID: <2025100716-rockfish-panda-9c4b@gregkh> (raw)
In-Reply-To: <3a44a61b-bd60-4dec-a5e6-8ad064203f2b@arnaud-lcm.com>
On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote:
>
> On 07/10/2025 15:16, Greg KH wrote:
> > On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
> > > From: Arnaud Lecomte <contact@arnaud-lcm.com>
> > >
> > > [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
> > >
> > > As reported by syzbot, mcp2221_raw_event lacked
> > > validation of incoming I2C read data sizes, risking buffer
> > > overflows in mcp->rxbuf during multi-part transfers.
> > > As highlighted in the DS20005565B spec, p44, we have:
> > > "The number of read-back data bytes to follow in this packet:
> > > from 0 to a maximum of 60 bytes of read-back bytes."
> > > This patch enforces we don't exceed this limit.
> > >
> > > Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
> > > Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> > > Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
> > > Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
> > > Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> > > [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]
> > I don't see a fixes tag :(
> Hey, I am the author of the patch. I can find the fixes tag if this looks
> good to you.
There's no need for a fixes tag, just let us know where you want this
backported to.
thanks,
greg k-h
next prev parent reply other threads:[~2025-10-07 15:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 13:08 [PATCH 0/1] Backport request: Fix reading issue on mcp2221 Romain Sioen
2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen
2025-10-07 13:16 ` Greg KH
2025-10-07 15:23 ` Lecomte, Arnaud
2025-10-07 15:26 ` Greg KH [this message]
2025-10-08 6:50 ` Lecomte, Arnaud
2025-10-08 8:22 ` romain.sioen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025100716-rockfish-panda-9c4b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=contact@arnaud-lcm.com \
--cc=jikos@kernel.org \
--cc=romain.sioen@microchip.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox