From nobody Thu Oct  2 14:22:15 2025
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5DAF25F988
	for <linux-kernel@vger.kernel.org>; Tue, 16 Sep 2025 05:12:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1757999579; cv=none;
 b=E6C/qlQ5f5pcCVq+KwOlVK2AFCwSCXWL9xaGFndibOKga+ngmPyU3zErOqAysl8uR+keVmk1Ivj1cwQHuH4yf4mOwmaTMjYei3EfXysC7EjbhR0Q9HA1bhOn9dNzcMm1KFxv8dwqNQwG/tVpuKDZXHiysOaI8fFjShgpHRueSlA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1757999579; c=relaxed/simple;
	bh=YCagT15TJjexqc1Up8uabF4bbwgjLWA6JZqJVkY1Ick=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=uPbX+toVNcnp6lLX6DlKGDJoJj3ct3am41baMx4FlsZSy1rulcwRqS4lmZIJQgusqPrv2fbYmKXYA7y2TXnW43oIxvDukREcILMBRLlsV5ZjhECnRZa/Oo0rBvaeiAz9eNruWx85m0FAl/d4EYhgX9Z46OVejimkG99OpdQqsnU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=l9HdjQS1; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="l9HdjQS1"
Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-b54b55c6eabso2954466a12.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 15 Sep 2025 22:12:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1757999576; x=1758604376;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=cBOq3NZ+rM2h9sy3fGHWYF48a38jqJCkuNGc5MxKF+A=;
        b=l9HdjQS12U4qnpW3qm+sVeeDpgaAqXXT7kyu9Y+UNv+E6HOgJ3PJjhBv4o/xI1zlAa
         tOBrrFwLyXa0j5PNKdIhpHGgMfeCh0e6xrr19Fg+lnyuiU3aKWVwWmPtW7DiN2/jtKdp
         vx5IXI/iUqXxh3fNSnP4uYZCOM2AdICJVrdZDYSPYB53xJEuoHxusBoqNXjUdgN5/Bbe
         uD7sra6ZYzf4GOxdA8/pTNiJWYBykDEXm0e9Xeh3leHV4xTxAgUm6a61CRwWyAmoN6QQ
         ly5nXNJYkS+YGJWHYnU8T1HFMbplQ2By/jQaLK/LjgmAQ5J0sIerHuPw3nLKHrHDw4fQ
         rYVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1757999576; x=1758604376;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=cBOq3NZ+rM2h9sy3fGHWYF48a38jqJCkuNGc5MxKF+A=;
        b=WfTA0QQz7Jb0agWv+czbd7Ao47h80X++9MWVA4iKudlCM4f5FdsmP3rg6zoo5HcdNe
         sVrQz4sjdh6v5UROQTHChzaWia1fmpqh+7pex++sxn7XxOgUjY9gySimof++kBQoznvG
         gBky2AC875Ih3KQWnZIdIilyFJJKZ8kdm+LtbUyfYMk/geC2vogBp6TXXtBFBhKfIDLt
         jh95YGUGKAKYD0Zs4Qehhz2RE5r+QoejE0wF/prYVFdRpw4I7v5Q7HvbOMlijYgewApW
         GGexlqqIn06v5VpuQUNKsq0JXxo6pOlUQjZQK9A6lgck9YQTte5hcIxoMKAeJ8MMViPP
         yCbA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXjvLTUJockOeqqPIPwwz7Qd/BTe+MBOXN/QphbLVNcEQ0kzQO1wfYoT5j2Urdt39BksPIdA8bOgVxf9dY=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzuau0qesdzIuBBXTKOKGn68IC3w+Ldjw5I4+RvFIJISFoJ74JN
	a1qw24mJtKdblZpwVaRFCWEcl2qT+nkeoakie2aQo6O4FmrxrrnQSsW9
X-Gm-Gg: ASbGncu07gtjTr1s7/9fpsuQtJnwJIuxAgvCczuLo2FXEL5JM1b9gaYmBukFjMDNet6
	0CmG8xh4JegUKF9X63vZqB0IPOoZ57B7A57J4O2Ilz7MKkV//hmX9GjdOYxRGyV1XUlzOQyIBJ5
	WUX+mSWvU7QbkXiOSSOSFpxDhzXJMGRhWtXSn3eGYEhHuDQAzY8cv2Ecjf0CzphNqwZNV78b20o
	RvO+RXx/1q6VORY/AUMxQwohsRQM3VhXpDj8wzkRSZZizONg/23RrR4LhaY71D9C9tXvRhQ4LTQ
	uMksaj1tzsaLF09JUa45sxjWjD6gvtkItkJFojsUcAEpY0H61d+HOvG9TE1oqhkZrTHHkaXLUg5
	cHzqmFOU9VOX8KVn43ECvlBzxhcsi9AVTLQt/0k0=
X-Google-Smtp-Source: 
 AGHT+IE7OBjzV/92I2FhRFhRyz0p6Dc1x8NjHMGdKfNgjrPBrsrB5BEKW/jgDKL3ClaLwqWrxBdTgQ==
X-Received: by 2002:a17:903:2f08:b0:24a:f79e:e5eb with SMTP id
 d9443c01a7336-25d26e455a4mr180824495ad.49.1757999575963;
        Mon, 15 Sep 2025 22:12:55 -0700 (PDT)
Received: from cortexauth ([2402:e280:2313:10b:d917:bfec:531b:9193])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-26295996ff6sm80994095ad.64.2025.09.15.22.12.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Sep 2025 22:12:55 -0700 (PDT)
From: Deepak Sharma <deepak.sharma.472935@gmail.com>
To: jikos@kernel.org
Cc: linux-input@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-kernel-mentees@lists.linux.dev,
	Deepak Sharma <deepak.sharma.472935@gmail.com>,
	syzbot+7617e19c8a59edfbd879@syzkaller.appspotmail.com
Subject: [PATCH v2] HID: cp2112: Add parameter validation to data length
Date: Tue, 16 Sep 2025 10:40:55 +0530
Message-ID: <20250916051055.317581-1-deepak.sharma.472935@gmail.com>
X-Mailer: git-send-email 2.51.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This is v2 for the earlier patch, where a few bounds check were
unnecessarily strict. This patch also removes the use of magic numbers

Syzkaller reported a stack OOB access in cp2112_write_req caused by lack
of parameter validation for the user input in I2C SMBUS ioctl codeflow
in the report

I2C device drivers are "responsible for checking all the parameters that
come from user-space for validity" as specified at Documentation/i2c/dev-in=
terface

Add the parameter validation for the data->block[0] to be bounded by
I2C_SMBUS_BLOCK_MAX + the additional compatibility padding

Reported-by: syzbot+7617e19c8a59edfbd879@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D7617e19c8a59edfbd879
Signed-off-by: Deepak Sharma <deepak.sharma.472935@gmail.com>
---
 drivers/hid/hid-cp2112.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 482f62a78c41..13dcd2470d92 100644
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -689,7 +689,14 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 a=
ddr,
 			count =3D cp2112_write_read_req(buf, addr, read_length,
 						      command, NULL, 0);
 		} else {
-			count =3D cp2112_write_req(buf, addr, command,
+			/* Copy starts from data->block[1] so the length can
+			 * be at max I2C_SMBUS_CLOCK_MAX + 1
+			 */
+		=09
+			if (data->block[0] > I2C_SMBUS_BLOCK_MAX + 1)
+				count =3D -EINVAL;
+			else
+				count =3D cp2112_write_req(buf, addr, command,
 						 data->block + 1,
 						 data->block[0]);
 		}
@@ -700,7 +707,14 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 a=
ddr,
 						      I2C_SMBUS_BLOCK_MAX,
 						      command, NULL, 0);
 		} else {
-			count =3D cp2112_write_req(buf, addr, command,
+			/* data_length here is data->block[0] + 1
+			 * so make sure that the data->block[0] is
+			 * less than or equals I2C_SMBUS_BLOCK_MAX + 1
+			*/
+			if (data->block[0] > I2C_SMBUS_BLOCK_MAX + 1)
+				count =3D -EINVAL;
+			else
+				count =3D cp2112_write_req(buf, addr, command,
 						 data->block,
 						 data->block[0] + 1);
 		}
@@ -709,7 +723,14 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 a=
ddr,
 		size =3D I2C_SMBUS_BLOCK_DATA;
 		read_write =3D I2C_SMBUS_READ;
=20
-		count =3D cp2112_write_read_req(buf, addr, I2C_SMBUS_BLOCK_MAX,
+		/* data_length is data->block[0] + 1, so=20
+		 * so data->block[0] should be less than or
+		 * equal to the I2C_SMBUS_BLOCK_MAX + 1
+		*/
+		if (data->block[0] > I2C_SMBUS_BLOCK_MAX + 1)
+			count =3D -EINVAL;
+		else
+			count =3D cp2112_write_read_req(buf, addr, I2C_SMBUS_BLOCK_MAX,
 					      command, data->block,
 					      data->block[0] + 1);
 		break;
--=20
2.51.0