Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: <romain.sioen@microchip.com>
To: "Lecomte, Arnaud" <contact@arnaud-lcm.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Romain Sioen - M70749 <Romain.Sioen@microchip.com>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>,
	"jikos@kernel.org" <jikos@kernel.org>,
	"syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com"
	<syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com>
Subject: Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
Date: Wed, 8 Oct 2025 10:22:46 +0200	[thread overview]
Message-ID: <6f27f897-8d09-4e8b-9265-79bf7df2b15e@microchip.com> (raw)
In-Reply-To: <1eea8c34-8c96-4e0b-a255-8679f6d4ae00@arnaud-lcm.com>

Hi all,

On 10/8/25 8:50 AM, "Lecomte, Arnaud" <contact@arnaud-lcm.com> wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you know 
> the content is safe
> 
> On 07/10/2025 17:26, Greg KH wrote:
> > On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote:
> >> On 07/10/2025 15:16, Greg KH wrote:
> >>> On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
> >>>> From: Arnaud Lecomte <contact@arnaud-lcm.com>
> >>>>
> >>>> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
> >>>>
> >>>> As reported by syzbot, mcp2221_raw_event lacked
> >>>> validation of incoming I2C read data sizes, risking buffer
> >>>> overflows in mcp->rxbuf during multi-part transfers.
> >>>> As highlighted in the DS20005565B spec, p44, we have:
> >>>> "The number of read-back data bytes to follow in this packet:
> >>>> from 0 to a maximum of 60 bytes of read-back bytes."
> >>>> This patch enforces we don't exceed this limit.
> >>>>
> >>>> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> >>>> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
> >>>> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> >>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
> >>>> Link: https://patch.msgid.link/20250726220931.7126-1- 
> >>>> contact@arnaud-lcm.com
> >>>> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> >>>> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add 
> >>>> "Fixes" tag]
> >>> I don't see a fixes tag :(
> >> Hey, I am the author of the patch. I can find the fixes tag if this 
> >> looks
> >> good to you.
> > There's no need for a fixes tag, just let us know where you want this
> > backported to.
> The ones, you already did the back-port to, seems good enough for me,
> Thanks Greg :)
> > thanks,
> >
> > greg k-h
> Arnaud
> 

Sorry for the confusion, I didn't put a tag indeed. I just wanted to backport this
patch to previous LTS versions 5.10, 5.15, 6.1, 6.6 and 6.12 as we need it to solve 
a bug. I tested it in all these stable versions and can confirm that it compiles correctly.
This is in the continuity of a backport request I made 1 month ago which has been accepted
and merged.

Thank you for your help,

Romain

     prev parent reply	other threads:[~2025-10-08  8:23 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-07 13:08 [PATCH 0/1] Backport request: Fix reading issue on mcp2221 Romain Sioen
2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen
2025-10-07 13:16   ` Greg KH
2025-10-07 15:23     ` Lecomte, Arnaud
2025-10-07 15:26       ` Greg KH
2025-10-08  6:50         ` Lecomte, Arnaud
2025-10-08  8:22           ` romain.sioen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6f27f897-8d09-4e8b-9265-79bf7df2b15e@microchip.com \
    --to=romain.sioen@microchip.com \
    --cc=contact@arnaud-lcm.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jikos@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox