Re: [PATCH] i2c: add sanity check for input SMBus data length

[Wolfram Sang]

Hi,

thanks for your patch!

On Tue, Jan 20, 2026 at 09:47:02PM +0800, Edward Adam Davis wrote:
> The value passed to block[0] in the user-constructed data is too large,
> exceeding the length that data for SMBus messages can accommodate. This
> triggered the out-of-bounds access reported by syzbot [1].
> 
> Adding relevant data size checks in the smbus ioctl can prevent this
> out-of-bounds access.
> 
> [1]
> BUG: KASAN: stack-out-of-bounds in ft260_smbus_write+0x19b/0x2f0 drivers/hid/hid-ft260.c:486
> Read of size 42 at addr ffffc90003427d81 by task syz.2.65/6119
> Call Trace:
>  ft260_smbus_write+0x19b/0x2f0 drivers/hid/hid-ft260.c:486
>  ft260_smbus_xfer+0x22c/0x640 drivers/hid/hid-ft260.c:736
> 

Did you look for a suitable Fixes tag?

> Reported-by: syzbot+64ca69977b37604cd6d9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=64ca69977b37604cd6d9
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
>  drivers/i2c/i2c-dev.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
> index e9577f920286..6725a49d6921 100644
> --- a/drivers/i2c/i2c-dev.c
> +++ b/drivers/i2c/i2c-dev.c
> @@ -378,6 +378,14 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
>  	    (read_write == I2C_SMBUS_WRITE)) {
>  		if (copy_from_user(&temp, data, datasize))
>  			return -EFAULT;
> +
> +		if (temp.block[0] > datasize) {
> +			dev_dbg(&client->adapter->dev,
> +				"user input data size (%u) is too big "
> +				"in ioctl I2C_SMBUS.\n",

Strings stay in one line, please, even if they break the line length.

> +				temp.block[0]);
> +			return -EINVAL;
> +		}
>  	}
>  	if (size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
>  		/* Convert old I2C block commands to the new

Happy hacking,

   Wolfram

Attachment: signature.asc
Description: PGP signature