[PATCH] i2c: core-smbus: validate block size in __i2c_smbus_xfer() for native SMBus path
From: Rostislav Nesin
Date: Mon Feb 16 2026 - 03:55:12 EST
In the native SMBus path, data->block[0] specifies the data length
for block transfers. When the adapter provides a native smbus_xfer,
__i2c_smbus_xfer() calls it without any prior validation of
data->block[0], so every native SMBus adapter (e.g. hid-ft260,
hid-mcp2221) is exposed to out-of-bounds access if userspace passes
block[0] > 32.
This triggered the following out-of-bounds access reported by syzbot
in the hid-ft260 driver:
BUG: KASAN: stack-out-of-bounds in ft260_smbus_write+0x19b/0x2f0
drivers/hid/hid-ft260.c:486
Read of size 42 at addr ffffc90003427d81 by task syz.2.65/6119
CPU: 0 UID: 0 PID: 6119 Comm: syz.2.65 Not tainted syzkaller #0
PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:194 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
__asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
ft260_smbus_write+0x19b/0x2f0 drivers/hid/hid-ft260.c:486
ft260_smbus_xfer+0x22c/0x640 drivers/hid/hid-ft260.c:736
__i2c_smbus_xfer drivers/i2c/i2c-core-smbus.c:591 [inline]
__i2c_smbus_xfer+0x4f0/0xf60 drivers/i2c/i2c-core-smbus.c:554
i2c_smbus_xfer drivers/i2c/i2c-core-smbus.c:546 [inline]
i2c_smbus_xfer+0x200/0x3c0 drivers/i2c/i2c-core-smbus.c:536
i2cdev_ioctl_smbus+0x237/0x990 drivers/i2c/i2c-dev.c:389
i2cdev_ioctl+0x361/0x840 drivers/i2c/i2c-dev.c:478
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Add validation for data->block[0] > I2C_SMBUS_BLOCK_MAX for
I2C_SMBUS_BLOCK_DATA, I2C_SMBUS_I2C_BLOCK_DATA and
I2C_SMBUS_BLOCK_PROC_CALL cases to avoid out-of-bounds access.
For I2C_SMBUS_BLOCK_DATA validate only on WRITE: on READ the length
comes from the device (Count byte, see smbus-protocol.rst). For
I2C_SMBUS_I2C_BLOCK_DATA and I2C_SMBUS_BLOCK_PROC_CALL the write phase
uses block[0] from the caller, so validate in both cases.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Reported-by: syzbot+64ca69977b37604cd6d9@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=64ca69977b37604cd6d9
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Rostislav Nesin <ssp.nesin@xxxxxxx>
---
drivers/i2c/i2c-core-smbus.c | 34 ++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
--- a/drivers/i2c/i2c-core-smbus.c
+++ b/drivers/i2c/i2c-core-smbus.c
@@ -575,6 +575,40 @@ s32 __i2c_smbus_xfer(struct i2c_adapter *adapter, u16 addr,
flags &= I2C_M_TEN | I2C_CLIENT_PEC | I2C_CLIENT_SCCB;
+ if (data) {
+ switch (protocol) {
+ case I2C_SMBUS_BLOCK_DATA:
+ if (read_write == I2C_SMBUS_WRITE &&
+ data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev,
+ "Invalid block write size %d\n",
+ data->block[0]);
+ return -EINVAL;
+ }
+ break;
+ case I2C_SMBUS_I2C_BLOCK_DATA:
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev,
+ "Invalid block %s size %d\n",
+ read_write == I2C_SMBUS_READ ?
+ "read" : "write",
+ data->block[0]);
+ return -EINVAL;
+ }
+ break;
+ case I2C_SMBUS_BLOCK_PROC_CALL:
+ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+ dev_err(&adapter->dev,
+ "Invalid block write size %d\n",
+ data->block[0]);
+ return -EINVAL;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
xfer_func = adapter->algo->smbus_xfer;
if (i2c_in_atomic_xfer_mode()) {
if (adapter->algo->smbus_xfer_atomic)
--
2.34.1