lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68c8657e.050a0220.3c6139.0d1d.GAE@google.com>
Date: Mon, 15 Sep 2025 12:14:06 -0700
From: syzbot <syzbot+7617e19c8a59edfbd879@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Re: [syzbot] [input?] KASAN: stack-out-of-bounds Read in cp2112_xfer

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: Re: [syzbot] [input?] KASAN: stack-out-of-bounds Read in cp2112_xfer
Author: deepak.takumi.120@...il.com

#syz test

diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 482f62a78c41..8e17500256f1 100644
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -689,7 +689,9 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr,
                        count = cp2112_write_read_req(buf, addr, read_length,
                                                      command, NULL, 0);
                } else {
-                       count = cp2112_write_req(buf, addr, command,
+                       if (data->block[0] > 32)
+                               count = -EINVAL;
+                       else count = cp2112_write_req(buf, addr, command,
                                                 data->block + 1,
                                                 data->block[0]);
                }
@@ -700,7 +702,9 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr,
                                                      I2C_SMBUS_BLOCK_MAX,
                                                      command, NULL, 0);
                } else {
-                       count = cp2112_write_req(buf, addr, command,
+                       if (data->block[0] > 32)
+                               count = -EINVAL;
+                       else count = cp2112_write_req(buf, addr, command,
                                                 data->block,
                                                 data->block[0] + 1);
                }
@@ -709,7 +713,9 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr,
                size = I2C_SMBUS_BLOCK_DATA;
                read_write = I2C_SMBUS_READ;

-               count = cp2112_write_read_req(buf, addr, I2C_SMBUS_BLOCK_MAX,
+               if (data->block[0] > 32)
+                       count = -EINVAL;
+               else count = cp2112_write_read_req(buf, addr,
I2C_SMBUS_BLOCK_MAX,
                                              command, data->block,
                                              data->block[0] + 1);
                break;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ