syztest

[syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event · syzbot <hidden> · 2024-12-06
Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event · syzbot <hidden> · 2024-12-25
Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event · syzbot <hidden> · 2025-02-10
syztest · Arnaud Lecomte <hidden> · 2025-07-26
Re: [syzbot] [usb?] [input?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event · syzbot <hidden> · 2025-07-26

From: Arnaud Lecomte <hidden>
Date: 2025-07-26 20:41:58
Also in: linux-usb, lkml

#syz test

--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c

@@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
 			}
 			if (data[2] == MCP2221_I2C_READ_COMPL ||
 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
+				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+					mcp->status = -EINVAL;
+					break;
+				}	
 				buf = mcp->rxbuf;
 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];

--

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help