hid: fix I2C read buffer overflow in raw_event() for mcp2221

As reported by syzbot, mcp2221_raw_event lacked
validation of incoming I2C read data sizes, risking buffer
overflows in mcp->rxbuf during multi-part transfers.
As highlighted in the DS20005565B spec, p44, we have:
"The number of read-back data bytes to follow in this packet:
from 0 to a maximum of 60 bytes of read-back bytes."
This patch enforces we don't exceed this limit.

Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>

diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index fcfe9370a8872d08e2b032f5c969385908789743..157c363ea9ba6ea55a00ff6f1b88951fe3be729b 100644 (file)
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -906,6 +906,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
                        }
                        if (data[2] == MCP2221_I2C_READ_COMPL ||
                            data[2] == MCP2221_I2C_READ_PARTIAL) {
+                               if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+                                       mcp->status = -EINVAL;
+                                       break;
+                               }
                                buf = mcp->rxbuf;
                                memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
                                mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];