The i2c_smbus_read_block_data function receives up to I2C_SMBUS_BLOCK_MAX bytes. which is typically 32. This exceeds the size of the local variable (u8 query_data[QUERY_DATA_SIZE]) in cyapa_gen3_get_query_data, which is provided to cyapa_read_block and finally reach i2c_smbus_read_block_data. When the cyapa module is enabled (CONFIG_MOUSE_CYAPA=m), this bug could cause denial-of-service (or potentially code execution). For example, by a physical attacker who can hijack I2C communications or plant malicious firmware in the Cyapa peripheral. To fix this bug, this patch change the size of query_data from QUERY_DATA_SIZE to I2C_SMBUS_BLOCK_MAX. Signed-off-by: itewqq <shipeiqu@xxxxxxxxxxx> --- drivers/input/mouse/cyapa_gen3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/mouse/cyapa_gen3.c b/drivers/input/mouse/cyapa_gen3.c index fc3fb954523b..6a5ffff51922 100644 --- a/drivers/input/mouse/cyapa_gen3.c +++ b/drivers/input/mouse/cyapa_gen3.c @@ -980,7 +980,7 @@ static int cyapa_gen3_set_proximity(struct cyapa *cyapa, bool enable) static int cyapa_gen3_get_query_data(struct cyapa *cyapa) { - u8 query_data[QUERY_DATA_SIZE]; + u8 query_data[I2C_SMBUS_BLOCK_MAX]; int ret; if (cyapa->state != CYAPA_STATE_OP) -- 2.30.2