linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()
@ 2022-06-20 16:28 Harshit Mogalapalli
       [not found] ` <CALUj-gtbja9aPo1yUdGkFNEr4nYf7nhO4X6NSK5QQSQkHex+NQ@mail.gmail.com>
  2022-07-21  9:55 ` Jiri Kosina
  0 siblings, 2 replies; 3+ messages in thread
From: Harshit Mogalapalli @ 2022-06-20 16:28 UTC (permalink / raw)
  Cc: harshit.m.mogalapalli, dan.carpenter, Rishi Gupta, Jiri Kosina,
	Benjamin Tissoires, linux-i2c, linux-input, linux-kernel

Smatch Warning:
drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()
'&mcp->txbuf[5]' too small (59 vs 255)
drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'
too small (34 vs 255)

The 'len' variable can take a value between 0-255 as it can come from
data->block[0] and it is user data. So add an bound check to prevent a
buffer overflow in memcpy().

Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
I believe I2C_SMBUS_BLOCK_MAX (32) is the appropriate limit to use here
but the &mcp->txbuf[5] array could actually fit 59 bytes which is the
destination in this case. I don't know why the buffer is larger than
expected.

 drivers/hid/hid-mcp2221.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 4211b9839209..de52e9f7bb8c 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -385,6 +385,9 @@ static int mcp_smbus_write(struct mcp2221 *mcp, u16 addr,
 		data_len = 7;
 		break;
 	default:
+		if (len > I2C_SMBUS_BLOCK_MAX)
+			return -EINVAL;
+
 		memcpy(&mcp->txbuf[5], buf, len);
 		data_len = len + 5;
 	}
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()
       [not found] ` <CALUj-gtbja9aPo1yUdGkFNEr4nYf7nhO4X6NSK5QQSQkHex+NQ@mail.gmail.com>
@ 2022-06-21  6:35   ` Dan Carpenter
  0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2022-06-21  6:35 UTC (permalink / raw)
  To: Rishi Gupta
  Cc: Harshit Mogalapalli, Jiri Kosina, Benjamin Tissoires, Linux I2C,
	open list:HID CORE LAYER, lkml

On Mon, Jun 20, 2022 at 11:58:27AM -0700, Rishi Gupta wrote:
> Hi Harshit,
> 
> Can you check the datasheet for correct buffer sizes please. Then
> accordingly we will decide next step.
> 

No, we don't have access to the data sheets.  This is the exact same
bug as the following patches:

381583845d19 ("HID: cp2112: prevent a buffer overflow in cp2112_xfer()")
690b2549b195 ("i2c: ismt: prevent memory corruption in ismt_access()")

The patch should fix the memory corruption but there may be other issues
with this code.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()
  2022-06-20 16:28 [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Harshit Mogalapalli
       [not found] ` <CALUj-gtbja9aPo1yUdGkFNEr4nYf7nhO4X6NSK5QQSQkHex+NQ@mail.gmail.com>
@ 2022-07-21  9:55 ` Jiri Kosina
  1 sibling, 0 replies; 3+ messages in thread
From: Jiri Kosina @ 2022-07-21  9:55 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: dan.carpenter, Rishi Gupta, Benjamin Tissoires, linux-i2c,
	linux-input, linux-kernel

On Mon, 20 Jun 2022, Harshit Mogalapalli wrote:

> Smatch Warning:
> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()
> '&mcp->txbuf[5]' too small (59 vs 255)
> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'
> too small (34 vs 255)
> 
> The 'len' variable can take a value between 0-255 as it can come from
> data->block[0] and it is user data. So add an bound check to prevent a
> buffer overflow in memcpy().
> 
> Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

Applied, thanks.

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-07-21  9:55 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-20 16:28 [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Harshit Mogalapalli
     [not found] ` <CALUj-gtbja9aPo1yUdGkFNEr4nYf7nhO4X6NSK5QQSQkHex+NQ@mail.gmail.com>
2022-06-21  6:35   ` Dan Carpenter
2022-07-21  9:55 ` Jiri Kosina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).