On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote:
On 07/10/2025 15:16, Greg KH wrote:
On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
From: Arnaud Lecomte contact@arnaud-lcm.com
[ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
As reported by syzbot, mcp2221_raw_event lacked validation of incoming I2C read data sizes, risking buffer overflows in mcp->rxbuf during multi-part transfers. As highlighted in the DS20005565B spec, p44, we have: "The number of read-back data bytes to follow in this packet: from 0 to a maximum of 60 bytes of read-back bytes." This patch enforces we don't exceed this limit.
Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Signed-off-by: Arnaud Lecomte contact@arnaud-lcm.com Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com Signed-off-by: Benjamin Tissoires bentiss@kernel.org [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]
I don't see a fixes tag :(
Hey, I am the author of the patch. I can find the fixes tag if this looks good to you.
There's no need for a fixes tag, just let us know where you want this backported to.
thanks,
greg k-h