Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp213326iol; Thu, 9 Jun 2022 02:17:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyUPNiCwKztJDQ5lPsJ5onFWktu6AVdBNek5aTXNEnXxeM5OVpgjCeSd+UcLP2xpnLUo9sh X-Received: by 2002:a05:6402:5206:b0:42e:1279:cc8b with SMTP id s6-20020a056402520600b0042e1279cc8bmr41292331edd.186.1654766221168; Thu, 09 Jun 2022 02:17:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654766221; cv=none; d=google.com; s=arc-20160816; b=Detbdq5rtZy8KPI7M1rsVyKKkubzfjR+qgRms1K+t42KRVa31r2TQ6jjnjVWWyIiqa CXO2mJv/d7TE/xRJ4SuoJYsf7lNV7TcsrzFMuZWF8rN+g/oxuU4tgPTcTZ/5CgYKgVKP Hxhxj4rSSaUBpgMMVI6dUUd13QNCenmoqiaioX9wg71n0VicxMKYihVYHA9D+qUDbgmT /18igMC7BI2rPGCArGuCaw9ipUdCWuhYNAR3Ss8hdwxF9kQoNOnO3bFkF45m5gDNvs+h agEKGICp3lhNi9Uu9g6czdRvY/eT5HjlPUL6IjDozwJmmvr1nJ82rCeXDX7FXe6YzU4v YRgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:message-id :in-reply-to:subject:cc:to:from:date:dkim-signature; bh=kjwZwAvfzfJguuka5nhvHXQtSqtKgIrhP3enpYqDCy0=; b=eaoIhtoj1E13CREaMC5OhMIM9AFC7SzEOAapQLWJHVBz1kO1bcD4j5yG9Kkv09B0ot E79ZTgwGjvhQRXA/LhVs8P46sa7LnQ2DTb5IarmSGAwcNXHT0Jie0WMb+3MBgiOKjgKy 0uG0cbEycZY/d4+BqvdVFQrpon+9rrotT9wSCZ8UdyUwOyOcW8cNX3EjOv+B/L0lsEUq K8krEpuazjS8d/noQG1+FmkTaYspCiy4cPKJNh5g/fqHS4UnuAz5x3wGnOtL+PVNKv78 3OHgFrs3NlbWL7GA8bW/mqnztf+ynwxEXiQ3wzDo/knUpL9UXGD7cccM39RG5Q+V+uVZ uf/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="R/4IuUAs"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hq7-20020a1709073f0700b00711f55a31d5si4060939ejc.736.2022.06.09.02.16.35; Thu, 09 Jun 2022 02:17:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="R/4IuUAs"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242785AbiFII5O (ORCPT + 99 others); Thu, 9 Jun 2022 04:57:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242905AbiFII4a (ORCPT ); Thu, 9 Jun 2022 04:56:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C5B51E2898; Thu, 9 Jun 2022 01:56:11 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 47D27B82C7E; Thu, 9 Jun 2022 08:56:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A46A2C3411E; Thu, 9 Jun 2022 08:56:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1654764969; bh=Le8tPzoYYL2tORCuXImVySrfImcCUAxU8vy3RAykSlo=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=R/4IuUAssjcQ98itfPJK0iNCFfRUlw+3MZ/iZnTNJUF6bN6a7p13V/qoFv/jwApAX /YO6GCcYRqM/tbR0tBPDr+1YKh4NDeZ8qLtv7BFGujHm+RE025u1xfGpC1hwInGhLe eUXcK2L0oWQkAK4S2TbHbut+shw0flWC4Ei9HvNeKH23WR0D1C5UKjQ84CpOB68xZW ch4xuqd/xD3wZV3KNTs48yLShwKN/LbpKWCIBaxFpQn9kbSGgCntRJwOmj30dI0Y+D iPoZBt3+cmlONVICod7/BJgHSG/AmNRx2ylQ6nafDhKoGy7BM0xtUJN/LfZgsWO7sw FL/J+dDESo7jA== Date: Thu, 9 Jun 2022 10:55:57 +0200 (CEST) From: Jiri Kosina To: Harshit Mogalapalli cc: benjamin.tissoires@redhat.com, eudean@arista.com, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, dan.carpenter@oracle.com Subject: Re: [PATCH] HID: cp2112: prevent a buffer overflow in cp2112_xfer() In-Reply-To: <20220608122609.70861-1-harshit.m.mogalapalli@oracle.com> Message-ID: References: <20220608122609.70861-1-harshit.m.mogalapalli@oracle.com> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 8 Jun 2022, Harshit Mogalapalli wrote: > Smatch warnings: > drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() > 'data->block[1]' too small (33 vs 255) > drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too > small (64 vs 255) > > The 'read_length' variable is provided by 'data->block[0]' which comes > from user and it(read_length) can take a value between 0-255. Add an > upper bound to 'read_length' variable to prevent a buffer overflow in > memcpy(). > > Fixes: 542134c0375b ("HID: cp2112: Fix I2C_BLOCK_DATA transactions") > Signed-off-by: Harshit Mogalapalli > --- > drivers/hid/hid-cp2112.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c > index ece147d1a278..1e16b0fa310d 100644 > --- a/drivers/hid/hid-cp2112.c > +++ b/drivers/hid/hid-cp2112.c > @@ -790,6 +790,11 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr, > data->word = le16_to_cpup((__le16 *)buf); > break; > case I2C_SMBUS_I2C_BLOCK_DATA: > + if (read_length > I2C_SMBUS_BLOCK_MAX) { > + ret = -EINVAL; > + goto power_normal; > + } > + > memcpy(data->block + 1, buf, read_length); > break; Good catch, now applied. Thanks, -- Jiri Kosina SUSE Labs