diff mbox series

HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()

Message ID 20220620162824.58937-1-harshit.m.mogalapalli@oracle.com (mailing list archive)
State Mainlined
Commit 62ac2473553a00229e67bdf3cb023b62cf7f5a9a
Delegated to: Jiri Kosina
Headers show
Series HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() | expand

Commit Message

Harshit Mogalapalli June 20, 2022, 4:28 p.m. UTC 
Smatch Warning:
drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()
'&mcp->txbuf[5]' too small (59 vs 255)
drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'
too small (34 vs 255)

The 'len' variable can take a value between 0-255 as it can come from
data->block[0] and it is user data. So add an bound check to prevent a
buffer overflow in memcpy().

Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
I believe I2C_SMBUS_BLOCK_MAX (32) is the appropriate limit to use here
but the &mcp->txbuf[5] array could actually fit 59 bytes which is the
destination in this case. I don't know why the buffer is larger than
expected.

 drivers/hid/hid-mcp2221.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Dan Carpenter June 21, 2022, 6:35 a.m. UTC | #1 
On Mon, Jun 20, 2022 at 11:58:27AM -0700, Rishi Gupta wrote:
> Hi Harshit,
> 
> Can you check the datasheet for correct buffer sizes please. Then
> accordingly we will decide next step.
> 

No, we don't have access to the data sheets.  This is the exact same
bug as the following patches:

381583845d19 ("HID: cp2112: prevent a buffer overflow in cp2112_xfer()")
690b2549b195 ("i2c: ismt: prevent memory corruption in ismt_access()")

The patch should fix the memory corruption but there may be other issues
with this code.

regards,
dan carpenter
Jiri Kosina July 21, 2022, 9:55 a.m. UTC | #2 
On Mon, 20 Jun 2022, Harshit Mogalapalli wrote:

> Smatch Warning:
> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()
> '&mcp->txbuf[5]' too small (59 vs 255)
> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'
> too small (34 vs 255)
> 
> The 'len' variable can take a value between 0-255 as it can come from
> data->block[0] and it is user data. So add an bound check to prevent a
> buffer overflow in memcpy().
> 
> Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

Applied, thanks.
diff mbox series

Patch

diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 4211b9839209..de52e9f7bb8c 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -385,6 +385,9 @@  static int mcp_smbus_write(struct mcp2221 *mcp, u16 addr,
 		data_len = 7;
 		break;
 	default:
+		if (len > I2C_SMBUS_BLOCK_MAX)
+			return -EINVAL;
+
 		memcpy(&mcp->txbuf[5], buf, len);
 		data_len = len + 5;
 	}