drivers/hid/hid-mcp2221.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
From: Benoît Sevens <bsevens@google.com>
A heap buffer overflow can occur in the mcp2221_raw_event() function
when handling I2C read responses. The driver failed to check if the
total incoming data length fits within the originally allocated buffer
`mcp->rxbuf`.
Fix this by introducing `rxbuf_len` to `struct mcp2221` to keep track
of the allocated buffer size. Initialize it in `mcp_i2c_smbus_read()`
and `mcp_smbus_xfer()`, and ensure the copied data length combined with
the current index does not exceed this length in `mcp2221_raw_event()`.
Signed-off-by: Benoît Sevens <bsevens@google.com>
---
drivers/hid/hid-mcp2221.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index ef3b5c77c38e..744561e65079 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -119,6 +119,7 @@ struct mcp2221 {
struct completion wait_in_report;
struct delayed_work init_work;
u8 *rxbuf;
+ int rxbuf_len;
u8 txbuf[64];
int rxbuf_idx;
int status;
@@ -323,12 +324,14 @@ static int mcp_i2c_smbus_read(struct mcp2221 *mcp,
mcp->txbuf[3] = (u8)(msg->addr << 1);
total_len = msg->len;
mcp->rxbuf = msg->buf;
+ mcp->rxbuf_len = msg->len;
} else {
mcp->txbuf[1] = smbus_len;
mcp->txbuf[2] = 0;
mcp->txbuf[3] = (u8)(smbus_addr << 1);
total_len = smbus_len;
mcp->rxbuf = smbus_buf;
+ mcp->rxbuf_len = smbus_len;
}
ret = mcp_send_data_req_status(mcp, mcp->txbuf, 4);
@@ -538,6 +541,7 @@ static int mcp_smbus_xfer(struct i2c_adapter *adapter, u16 addr,
mcp->rxbuf_idx = 0;
mcp->rxbuf = data->block;
+ mcp->rxbuf_len = sizeof(data->block);
mcp->txbuf[0] = MCP2221_I2C_GET_DATA;
ret = mcp_send_data_req_status(mcp, mcp->txbuf, 1);
if (ret)
@@ -561,6 +565,7 @@ static int mcp_smbus_xfer(struct i2c_adapter *adapter, u16 addr,
mcp->rxbuf_idx = 0;
mcp->rxbuf = data->block;
+ mcp->rxbuf_len = sizeof(data->block);
mcp->txbuf[0] = MCP2221_I2C_GET_DATA;
ret = mcp_send_data_req_status(mcp, mcp->txbuf, 1);
if (ret)
@@ -908,7 +913,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
}
if (data[2] == MCP2221_I2C_READ_COMPL ||
data[2] == MCP2221_I2C_READ_PARTIAL) {
- if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+ if (!mcp->rxbuf || mcp->rxbuf_idx < 0 ||
+ data[3] > 60 ||
+ mcp->rxbuf_idx + data[3] > mcp->rxbuf_len) {
mcp->status = -EINVAL;
break;
}
--
2.54.0.rc0.605.g598a273b03-googOn Wed, 15 Apr 2026, Benoit Sevens wrote: > From: Benoît Sevens <bsevens@google.com> > > A heap buffer overflow can occur in the mcp2221_raw_event() function > when handling I2C read responses. The driver failed to check if the > total incoming data length fits within the originally allocated buffer > `mcp->rxbuf`. > > Fix this by introducing `rxbuf_len` to `struct mcp2221` to keep track > of the allocated buffer size. Initialize it in `mcp_i2c_smbus_read()` > and `mcp_smbus_xfer()`, and ensure the copied data length combined with > the current index does not exceed this length in `mcp2221_raw_event()`. > > Signed-off-by: Benoît Sevens <bsevens@google.com> Unfortunately the patch seems to have been somehow mangled by your mail client: patching file drivers/hid/hid-mcp2221.c Hunk #1 succeeded at 126 (offset 7 lines). Hunk #2 FAILED at 324. patch: **** malformed patch at line 173: u16 addr, Fix for the same issue has later been submitted by Florian Pradines [1], so I will be taking that one and adding you as Reported-by: or so, ok? Thanks. [1] https://lore.kernel.org/all/20260509094517.2691246-1-florian.pradines@gmail.com/ -- Jiri Kosina SUSE Labs
On Tue, 12 May 2026 at 17:47, Jiri Kosina <jikos@kernel.org> wrote:
>
> On Wed, 15 Apr 2026, Benoit Sevens wrote:
>
> > From: Benoît Sevens <bsevens@google.com>
> >
> > A heap buffer overflow can occur in the mcp2221_raw_event() function
> > when handling I2C read responses. The driver failed to check if the
> > total incoming data length fits within the originally allocated buffer
> > `mcp->rxbuf`.
> >
> > Fix this by introducing `rxbuf_len` to `struct mcp2221` to keep track
> > of the allocated buffer size. Initialize it in `mcp_i2c_smbus_read()`
> > and `mcp_smbus_xfer()`, and ensure the copied data length combined with
> > the current index does not exceed this length in `mcp2221_raw_event()`.
> >
> > Signed-off-by: Benoît Sevens <bsevens@google.com>
>
> Unfortunately the patch seems to have been somehow mangled by your mail
> client:
>
> patching file drivers/hid/hid-mcp2221.c
> Hunk #1 succeeded at 126 (offset 7 lines).
> Hunk #2 FAILED at 324.
> patch: **** malformed patch at line 173: u16 addr,
>
> Fix for the same issue has later been submitted by Florian Pradines [1],
> so I will be taking that one and adding you as Reported-by: or so, ok?
>
> Thanks.
>
> [1] https://lore.kernel.org/all/20260509094517.2691246-1-florian.pradines@gmail.com/
>
> --
> Jiri Kosina
> SUSE Labs
>
Hi Jiri,
That sounds good to me. Thanks for adding me in the Reported-by
One thing though: Florian's patch doesn't set `mcp->rxbuf_size` in all
places. I believe it should be set in every place where `mcp->rxbuf`
is set. There are 2 places in `mcp_smbus_xfer` where it is missing
(see my original patch):
```c
@@ -538,6 +541,7 @@ static int mcp_smbus_xfer(struct i2c_adapter
*adapter, u16 addr,
mcp->rxbuf_idx = 0;
mcp->rxbuf = data->block;
+ mcp->rxbuf_size = sizeof(data->block);
mcp->txbuf[0] = MCP2221_I2C_GET_DATA;
ret = mcp_send_data_req_status(mcp, mcp->txbuf, 1);
if (ret)
@@ -561,6 +565,7 @@ static int mcp_smbus_xfer(struct i2c_adapter
*adapter, u16 addr,
mcp->rxbuf_idx = 0;
mcp->rxbuf = data->block;
+ mcp->rxbuf_size = sizeof(data->block);
mcp->txbuf[0] = MCP2221_I2C_GET_DATA;
ret = mcp_send_data_req_status(mcp, mcp->txbuf, 1);
if (ret)
```
Thanks,
Benoit
© 2016 - 2026 Red Hat, Inc.