Re: [PATCH v2] Input/mouse: cyapa - fix potential buffer overflow in cyapa_gen3.c

From: Dmitry Torokhov
Date: Thu Oct 17 2024 - 20:32:10 EST

Next message: syzbot: "Re: [syzbot] [net?] KMSAN: kernel-infoleak in move_addr_to_user (7)"
Previous message: Dmitry Torokhov: "[PATCH] i2c: smbus: make i2c_smbus_read_block_data() safer"
In reply to: itewqq: "[PATCH v2] Input/mouse: cyapa - fix potential buffer overflow in cyapa_gen3.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Thu, Oct 17, 2024 at 04:01:04PM +0800, itewqq wrote:
> The i2c_smbus_read_block_data function receives up to I2C_SMBUS_BLOCK_MAX
> bytes, which is defined as 32. This exceeds the size of the struct
> cyapa_reg_data, which will be provided to cyapa_read_block as an input
> buffer and finally reach i2c_smbus_read_block_data. When the cyapa module
> is enabled (CONFIG_MOUSE_CYAPA=m), this bug could result in potential
> denial-of-service for invalid or malicious I2C data. Pad the size of the
> cyapa_reg_data structure from 27 to I2C_SMBUS_BLOCK_MAX=32 bytes to
> address this issue.

No, I don't think padding all buffers is a good idea. We need to change
i2c_smbus_read_block_data() to accept the buffer size so that it does
not copy more than it should.

I sent a patch to i2c list and CCed you.

Thanks.

--
Dmitry

Next message: syzbot: "Re: [syzbot] [net?] KMSAN: kernel-infoleak in move_addr_to_user (7)"
Previous message: Dmitry Torokhov: "[PATCH] i2c: smbus: make i2c_smbus_read_block_data() safer"
In reply to: itewqq: "[PATCH v2] Input/mouse: cyapa - fix potential buffer overflow in cyapa_gen3.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]