Commit b07f9ee3 authored Feb 05, 2025 by Tulio Fernandes Committed by Wentao Guan Mar 25, 2025

HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()

stable inclusion
from stable-v6.6.79
commit f3ce05283f6cb6e19c220f5382def43dc5bd56b9
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBW08Q

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f3ce05283f6cb6e19c220f5382def43dc5bd56b9

--------------------------------

[ Upstream commit 0b43d98ff29be3144e86294486b1373b5df74c0e ]

Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
hid-thrustmaster driver. This array is passed to usb_check_int_endpoints
function from usb.c core driver, which executes a for loop that iterates
over the elements of the passed array. Not finding a null element at the end of
the array, it tries to read the next, non-existent element, crashing the kernel.

To fix this, a 0 element was added at the end of the array to break the for
loop.

[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad



Reported-by:  <syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com>
Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")
Signed-off-by: Túlio Fernandes <tuliomf09@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit f3ce05283f6cb6e19c220f5382def43dc5bd56b9)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

parent 5ed70d5f

drivers/hid/hid-thrustmaster.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
		b_ep = ep->desc.bEndpointAddress;

		/* Are the expected endpoints present? */
		u8 ep_addr[1] = {b_ep};
		u8 ep_addr[2] = {b_ep, 0};

		if (!usb_check_int_endpoints(usbif, ep_addr)) {
		hid_err(hdev, "Unexpected non-int endpoint\n");