]> git.baikalelectronics.ru Git - kernel.git/commitdiff
projects / kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d73d8eb)
HID: cp2112: prevent a buffer overflow in cp2112_xfer()
authorHarshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Wed, 8 Jun 2022 12:26:09 +0000 (05:26 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 25 Aug 2022 09:17:50 +0000 (11:17 +0200)
[ Upstream commit cccca11076db996f62cdfb6ab3b5f661e60b0216 ]

Smatch warnings:
drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy()
'data->block[1]' too small (33 vs 255)
drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too
small (64 vs 255)

The 'read_length' variable is provided by 'data->block[0]' which comes
from user and it(read_length) can take a value between 0-255. Add an
upper bound to 'read_length' variable to prevent a buffer overflow in
memcpy().

Fixes: 73c1d83d8ef9 ("HID: cp2112: Fix I2C_BLOCK_DATA transactions")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/hid/hid-cp2112.c patch | blob | history

diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index db1b55df0d1319c21b382fd8430e95f1821e3415..340408f8c8ab2e1c4d61985f9e3bee65e6c97aba 100644 (file)
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -787,6 +787,11 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr,
                data->word = le16_to_cpup((__le16 *)buf);
                break;
        case I2C_SMBUS_I2C_BLOCK_DATA:
+               if (read_length > I2C_SMBUS_BLOCK_MAX) {
+                       ret = -EINVAL;
+                       goto power_normal;
+               }
+
                memcpy(data->block + 1, buf, read_length);
                break;
        case I2C_SMBUS_BLOCK_DATA:
Linux Kernel Source Tree.