Hi, On Thu, Oct 17, 2024 at 04:01:04PM +0800, itewqq wrote: > The i2c_smbus_read_block_data function receives up to I2C_SMBUS_BLOCK_MAX > bytes, which is defined as 32. This exceeds the size of the struct > cyapa_reg_data, which will be provided to cyapa_read_block as an input > buffer and finally reach i2c_smbus_read_block_data. When the cyapa module > is enabled (CONFIG_MOUSE_CYAPA=m), this bug could result in potential > denial-of-service for invalid or malicious I2C data. Pad the size of the > cyapa_reg_data structure from 27 to I2C_SMBUS_BLOCK_MAX=32 bytes to > address this issue. No, I don't think padding all buffers is a good idea. We need to change i2c_smbus_read_block_data() to accept the buffer size so that it does not copy more than it should. I sent a patch to i2c list and CCed you. Thanks. -- Dmitry
