From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AEB9DC433EF for ; Sun, 20 Feb 2022 16:02:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=iEgrfT54+5k5OKKXMerwKj5BpYscUECk52/bxYUO3kA=; b=T1LSWJQrA5cNet FtGao5xfuyFwZK6TGpJctVv9NIBJuQRJP1naGeyEGTcbKKTiR+D3bVzXWua/kLUd1PwO5aCdiz1uZ 2AHahL4F2ws0LyRJDc2BgrtQUquzyFDatEavgDFerKx89X5hJR0BjbxkoRwgLq9IGaJiiAmLLuDcY ufJB7xpV5a7++4yGE6wKZ35VlyhcXfxJRzM6CtX/hBsOeicjcCwYJw9LiXcwqClo2DzQtkI6LsGEA 7C1T6/bqJ1Um5DXJPI9/xaB/baefK48STNi9Y8bfEXxoxXt9obB1D88pc7RlFH91ywr6NPfc1u2Sx KbYzSMXoSGbBPRfLWhAQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nLoeO-001mnk-Ci; Sun, 20 Feb 2022 16:01:28 +0000 Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nLoeK-001mmm-KL for linux-arm-kernel@lists.infradead.org; Sun, 20 Feb 2022 16:01:25 +0000 Received: by mail-lf1-x12e.google.com with SMTP id j15so14235433lfe.11 for ; Sun, 20 Feb 2022 08:01:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kiCO7Y3o/yfvY4Cex2AEsXYa2jd9fcUopAAuMMIl7X8=; b=UYW3P4C6klhBelzEbt4knsukbmG/vQrDalHcSOV/oA0N9z7KGI32MOaQM9QMiZ0y0b 0qeYVp/Jk640kEgKGDf+ig/zbygc7XKgV9roR+KLswYEb/5tsvPinZmZfipxppUr4WC5 LR4nrrxzta8WA2/vlM6MEgD5QSFH7uEf7/B8tlAh1IrBxvHQ2UdJ8AxGFv4utxkmJUOH istYxxlm1f/h+v24iKa6hGkxxBteB1jMZTr8ZRRc28MitrNyMSza35qZ/XUDNMto4FvY NyB7ioIyHTBNIjMZj1qjBF+br9vOdBhSxmG9wXurDHoqJ8o+biWqifbgDGHok/dKvKjv wLUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kiCO7Y3o/yfvY4Cex2AEsXYa2jd9fcUopAAuMMIl7X8=; b=2d1RH0tppwnlbr9fo4snXran/UMF3deeKOELfpSUzrMuo/XAP1sHDrSWTKlQ0QMjXu xPW4d9KL/v4fsQ5YAcO2rKqbNb2QKk3HB8m6C1OEMsgtkdp34T+qHRUttx64vcTX9kyo leLwM+qCiEAbxDDotyaiF99Xh5TtVtvba0/tD6UYJ53CDjAIel/0/a8u+jMmHh3BqoXH 3di+fwTBjoDI1VnXmgpgt1E4KFgrkUG77Hsf8mRPkKw7dZbvxyas6/JwTh810KHvRVPQ aWNoVSB+KXOjLhIAF7xWvRaHl9HTYN9tiueAxjLVlus2WYKGA4fIXjWsEp70utPxg2Hz YegQ== X-Gm-Message-State: AOAM531YTUJGToM/iU4E0vvDsyLqV5GliWDuefBRVwq0UuwY0yJf3txz W0Oyi01wvu1h2w6nFP1iSQbprZXgMh0= X-Google-Smtp-Source: ABdhPJwv9apys1DY/TwkeoLaXGUaOOzCI3U7YhVsxCvO6NPyAfRSsL06C6Isxw3fVxrX6fos67Xeyw== X-Received: by 2002:a05:6512:390a:b0:43f:62f8:efd5 with SMTP id a10-20020a056512390a00b0043f62f8efd5mr11391942lfu.0.1645372882809; Sun, 20 Feb 2022 08:01:22 -0800 (PST) Received: from localhost.localdomain ([94.103.229.64]) by smtp.gmail.com with ESMTPSA id y11sm1018835ljj.122.2022.02.20.08.01.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Feb 2022 08:01:22 -0800 (PST) From: Pavel Skripkin To: jikos@kernel.org, benjamin.tissoires@redhat.com, mcoquelin.stm32@gmail.com, alexandre.torgue@foss.st.com, kimi.h.kuparinen@gmail.com Cc: linux-input@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Pavel Skripkin , syzbot+35eebd505e97d315d01c@syzkaller.appspotmail.com Subject: [PATCH] HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts Date: Sun, 20 Feb 2022 19:01:14 +0300 Message-Id: <20220220160114.26882-1-paskripkin@gmail.com> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220220_080124_694286_73169F02 X-CRM114-Status: GOOD ( 11.99 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug. The root case is in missing validation check of actual number of endpoints. Code should not blindly access usb_host_interface::endpoint array, since it may contain less endpoints than code expects. Fix it by adding missing validaion check and print an error if number of endpoints do not match expected number Fixes: c49c33637802 ("HID: support for initialization of some Thrustmaster wheels") Reported-and-tested-by: syzbot+35eebd505e97d315d01c@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/hid/hid-thrustmaster.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c index 03b935ff02d5..9da4240530dd 100644 --- a/drivers/hid/hid-thrustmaster.c +++ b/drivers/hid/hid-thrustmaster.c @@ -158,6 +158,12 @@ static void thrustmaster_interrupts(struct hid_device *hdev) return; } + if (usbif->cur_altsetting->desc.bNumEndpoints < 2) { + kfree(send_buf); + hid_err(hdev, "Wrong number of endpoints?\n"); + return; + } + ep = &usbif->cur_altsetting->endpoint[1]; b_ep = ep->desc.bEndpointAddress; -- 2.35.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel