HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints by null-terminating array v1 PROPOSED

Tulio Fernandes: 1
 HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints by null-terminating array

 1 files changed, 1 insertions(+), 1 deletions(-)

[PATCH] HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints by null-terminating array Export this patch

Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
hid-thrustmaster driver. This array is passed to usb_check_int_endpoints
function from usb.c core driver, which executes a for loop that iterates
over the elements of the passed array. Not finding a null element at the end of
the array, it tries to read the next, non-existent element, crashing the kernel.

To fix this, a 0 element was added at the end of the array to break the for
loop.

[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad

Signed-off-by: Túlio Fernandes <tuliomf09@gmail.com>
---
 drivers/hid/hid-thrustmaster.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
index 6c3e758bbb09..3b81468a1df2 100644
--- a/drivers/hid/hid-thrustmaster.c
+++ b/drivers/hid/hid-thrustmaster.c
@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
 	b_ep = ep->desc.bEndpointAddress;
 
 	/* Are the expected endpoints present? */
-	u8 ep_addr[1] = {b_ep};
+	u8 ep_addr[2] = {b_ep, 0};
 
 	if (!usb_check_int_endpoints(usbif, ep_addr)) {
 		hid_err(hdev, "Unexpected non-int endpoint\n");

Jiri Kosina <jikos@kernel.org>

2 months ago

Ugh. Makes me wonder how 50420d7c79c was tested at all in the first place. 
CCing Karol.

I've added

    Reported-by: syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com
    Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")

and applied.

-- 
2.48.1