2022-06-20 16:48:07

by Harshit Mogalapalli

Subject: [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()

Smatch Warning:
drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()
'&mcp->txbuf[5]' too small (59 vs 255)
drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'
too small (34 vs 255)

The 'len' variable can take a value between 0-255 as it can come from
data->block[0] and it is user data. So add an bound check to prevent a
buffer overflow in memcpy().

Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge")
Signed-off-by: Harshit Mogalapalli <[email protected]>
---
I believe I2C_SMBUS_BLOCK_MAX (32) is the appropriate limit to use here
but the &mcp->txbuf[5] array could actually fit 59 bytes which is the
destination in this case. I don't know why the buffer is larger than
expected.

drivers/hid/hid-mcp2221.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 4211b9839209..de52e9f7bb8c 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -385,6 +385,9 @@ static int mcp_smbus_write(struct mcp2221 *mcp, u16 addr,
data_len = 7;
break;
default:
+ if (len > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
memcpy(&mcp->txbuf[5], buf, len);
data_len = len + 5;
}
--
2.31.1

2022-06-21 06:40:09

by Dan Carpenter

Subject: Re: [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()

On Mon, Jun 20, 2022 at 11:58:27AM -0700, Rishi Gupta wrote:
> Hi Harshit,
>
> Can you check the datasheet for correct buffer sizes please. Then
> accordingly we will decide next step.
>

No, we don't have access to the data sheets. This is the exact same
bug as the following patches:

381583845d19 ("HID: cp2112: prevent a buffer overflow in cp2112_xfer()")
690b2549b195 ("i2c: ismt: prevent memory corruption in ismt_access()")

The patch should fix the memory corruption but there may be other issues
with this code.

regards,
dan carpenter

2022-07-21 09:59:43

by Jiri Kosina

Subject: Re: [PATCH] HID: mcp2221: prevent a buffer overflow in mcp_smbus_write()

On Mon, 20 Jun 2022, Harshit Mogalapalli wrote:

> Smatch Warning:
> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()
> '&mcp->txbuf[5]' too small (59 vs 255)
> drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy() 'buf'
> too small (34 vs 255)
>
> The 'len' variable can take a value between 0-255 as it can come from
> data->block[0] and it is user data. So add an bound check to prevent a
> buffer overflow in memcpy().
>
> Fixes: 67a95c21463d ("HID: mcp2221: add usb to i2c-smbus host bridge")
> Signed-off-by: Harshit Mogalapalli <[email protected]>

Applied, thanks.

--
Jiri Kosina
SUSE Labs