On Wed, 5 Feb 2025, Tulio Fernandes wrote: > Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from > hid-thrustmaster driver. This array is passed to usb_check_int_endpoints > function from usb.c core driver, which executes a for loop that iterates > over the elements of the passed array. Not finding a null element at the end of > the array, it tries to read the next, non-existent element, crashing the kernel. > > To fix this, a 0 element was added at the end of the array to break the for > loop. > > [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad > > Signed-off-by: Túlio Fernandes <tuliomf09@xxxxxxxxx> > --- > drivers/hid/hid-thrustmaster.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c > index 6c3e758bbb09..3b81468a1df2 100644 > --- a/drivers/hid/hid-thrustmaster.c > +++ b/drivers/hid/hid-thrustmaster.c > @@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev) > b_ep = ep->desc.bEndpointAddress; > > /* Are the expected endpoints present? */ > - u8 ep_addr[1] = {b_ep}; > + u8 ep_addr[2] = {b_ep, 0}; > > if (!usb_check_int_endpoints(usbif, ep_addr)) { > hid_err(hdev, "Unexpected non-int endpoint\n"); Ugh. Makes me wonder how 50420d7c79c was tested at all in the first place. CCing Karol. I've added Reported-by: syzbot+9c9179ac46169c56c1ad@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check") and applied. -- Jiri Kosina SUSE Labs
