| Message ID | 20220620162824.58937-1-harshit.m.mogalapalli@oracle.com |
|---|---|
| State | Accepted |
| Commit | 62ac2473553a00229e67bdf3cb023b62cf7f5a9a |
| Headers | show |
| Series | HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() | expand |
On Mon, 20 Jun 2022, Harshit Mogalapalli wrote: > Smatch Warning: > drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() > '&mcp->txbuf[5]' too small (59 vs 255) > drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf' > too small (34 vs 255) > > The 'len' variable can take a value between 0-255 as it can come from > data->block[0] and it is user data. So add an bound check to prevent a > buffer overflow in memcpy(). > > Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge") > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Applied, thanks.
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c index 4211b9839209..de52e9f7bb8c 100644 --- a/drivers/hid/hid-mcp2221.c +++ b/drivers/hid/hid-mcp2221.c @@ -385,6 +385,9 @@ static int mcp_smbus_write(struct mcp2221 *mcp, u16 addr, data_len = 7; break; default: + if (len > I2C_SMBUS_BLOCK_MAX) + return -EINVAL; + memcpy(&mcp->txbuf[5], buf, len); data_len = len + 5; }
Smatch Warning: drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() '&mcp->txbuf[5]' too small (59 vs 255) drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf' too small (34 vs 255) The 'len' variable can take a value between 0-255 as it can come from data->block[0] and it is user data. So add an bound check to prevent a buffer overflow in memcpy(). Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge") Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> --- I believe I2C_SMBUS_BLOCK_MAX (32) is the appropriate limit to use here but the &mcp->txbuf[5] array could actually fit 59 bytes which is the destination in this case. I don't know why the buffer is larger than expected. drivers/hid/hid-mcp2221.c | 3 +++ 1 file changed, 3 insertions(+)