Patch "HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()" has been added to the 6.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 17 Feb 2025 11:48:40 -0500

This is a note to let you know that I've just added the patch titled

    HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()

to the 6.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch
and it can be found in the queue-6.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3ff430ea223f3d5d7980598fec43ff2975f88fd4
Author: Tulio Fernandes <tuliomf09@xxxxxxxxx>
Date:   Wed Feb 5 18:50:34 2025 -0300

    HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()
    
    [ Upstream commit 0b43d98ff29be3144e86294486b1373b5df74c0e ]
    
    Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
    hid-thrustmaster driver. This array is passed to usb_check_int_endpoints
    function from usb.c core driver, which executes a for loop that iterates
    over the elements of the passed array. Not finding a null element at the end of
    the array, it tries to read the next, non-existent element, crashing the kernel.
    
    To fix this, a 0 element was added at the end of the array to break the for
    loop.
    
    [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
    
    Reported-by: syzbot+9c9179ac46169c56c1ad@xxxxxxxxxxxxxxxxxxxxxxxxx
    Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")
    Signed-off-by: Túlio Fernandes <tuliomf09@xxxxxxxxx>
    Signed-off-by: Jiri Kosina <jkosina@xxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
index 6c3e758bbb09e..3b81468a1df29 100644
--- a/drivers/hid/hid-thrustmaster.c
+++ b/drivers/hid/hid-thrustmaster.c
@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
 	b_ep = ep->desc.bEndpointAddress;
 
 	/* Are the expected endpoints present? */
-	u8 ep_addr[1] = {b_ep};
+	u8 ep_addr[2] = {b_ep, 0};
 
 	if (!usb_check_int_endpoints(usbif, ep_addr)) {
 		hid_err(hdev, "Unexpected non-int endpoint\n");







