Re: [PATCH] HID: mcp2221: Fix heap buffer overflow in mcp2221_raw_event()

Next message: Nhat Pham: "Re: [PATCH 2/3] mm/zswap: Implement proactive writeback"
Previous message: Michael S. Tsirkin: "Re: [PATCH resend v6 17/30] mm: page_alloc: propagate PageReported flag across buddy splits"
Next in thread: Beno&#xEE;t Sevens: "Re: [PATCH] HID: mcp2221: Fix heap buffer overflow in mcp2221_raw_event()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue May 12 2026 - 11:52:53 EST

On Wed, 15 Apr 2026, Benoit Sevens wrote:

> From: Benoît Sevens <bsevens@xxxxxxxxxx>
>
> A heap buffer overflow can occur in the mcp2221_raw_event() function
> when handling I2C read responses. The driver failed to check if the
> total incoming data length fits within the originally allocated buffer
> `mcp->rxbuf`.
>
> Fix this by introducing `rxbuf_len` to `struct mcp2221` to keep track
> of the allocated buffer size. Initialize it in `mcp_i2c_smbus_read()`
> and `mcp_smbus_xfer()`, and ensure the copied data length combined with
> the current index does not exceed this length in `mcp2221_raw_event()`.
>
> Signed-off-by: Benoît Sevens <bsevens@xxxxxxxxxx>

Unfortunately the patch seems to have been somehow mangled by your mail
client:

patching file drivers/hid/hid-mcp2221.c
Hunk #1 succeeded at 126 (offset 7 lines).
Hunk #2 FAILED at 324.
patch: **** malformed patch at line 173: u16 addr,

Fix for the same issue has later been submitted by Florian Pradines [1],
so I will be taking that one and adding you as Reported-by: or so, ok?

Thanks.

[1] https://lore.kernel.org/all/20260509094517.2691246-1-florian.pradines@xxxxxxxxx/

--
Jiri Kosina
SUSE Labs