Re: [PATCH] HID: mcp2221: fix slab out-of-bounds in mcp2221_raw_event

Next message: Jason A. Donenfeld: "[PATCH libcrypto 2/2] crypto: chacha20poly1305: statically check fixed array lengths"
Previous message: Jason A. Donenfeld: "[PATCH libcrypto 1/2] array_size: introduce min_array_size() function decoration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiri Kosina

Date: Tue Nov 18 2025 - 12:03:08 EST

On Mon, 3 Nov 2025, Atharv Dubey wrote:

> Fixes an out-of-bounds read triggered by malformed HID input reports.
>
> Fixes: 3a8660878839 ("HID: mcp2221: add support for MCP2221 HID adapter")

The commit hash and the commit name don't match.

3a8660878839 is a Makefile update to reflect new kernel version, and
commit with shortlog "HID: mcp2221: add support for MCP2221 HID adapter"
doesn't seem to exist ...

> Reported-by: syzbot+1018672fe70298606e5f@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
> Signed-off-by: Atharv Dubey <atharvd440@xxxxxxxxx>
> ---
> drivers/hid/hid-mcp2221.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
> index a9fd7648515d..c97f0acbac8b 100644
> --- a/drivers/hid/hid-mcp2221.c
> +++ b/drivers/hid/hid-mcp2221.c
> @@ -945,7 +945,7 @@ static int mcp2221_raw_event(struct hid_device *hdev,
> switch (data[1]) {
> case MCP2221_SUCCESS:
> if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
> - (mcp->gp_idx > 0 &&data[mcp->gp_idx - 1] == MCP2221_ALT_F_NOT_GPIOV)) {

... nor does this code.

What tree is this patch against?

--
Jiri Kosina
SUSE Labs