1. Patchew
  2. linux
  3. View series

[PATCH] HID: hid-thrustmaster: add endpoint check in thrustmaster_interrupts

Karol Przybylski posted 1 patch 1 month ago 
drivers/hid/hid-thrustmaster.c | 7 +++++++
1 file changed, 7 insertions(+)
[PATCH] HID: hid-thrustmaster: add endpoint check in thrustmaster_interrupts
Posted by Karol Przybylski 1 month ago 
syzbot has found a type mismatch between a USB pipe and the transfer
endpoint, which is triggered by the hid-thrustmaster driver[1].
There is a number of similar, already fixed issues [2].
In this case as in others, implementing check for endpoint type fixes the issue.

[1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470
[2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622

Fixes: c49c33637802 ("HID: support for initialization of some Thrustmaster wheels")
Reported-by: syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com
Tested-by: syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com
Signed-off-by: Karol Przybylski <karprzy7@gmail.com>
---
 drivers/hid/hid-thrustmaster.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
index cf1679b0d4fb..f948189394ef 100644
--- a/drivers/hid/hid-thrustmaster.c
+++ b/drivers/hid/hid-thrustmaster.c
@@ -170,6 +170,13 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
 	ep = &usbif->cur_altsetting->endpoint[1];
 	b_ep = ep->desc.bEndpointAddress;
 
+	/* Are the expected endpoints present? */
+	u8 ep_addr[1] = {b_ep};
+	if (!usb_check_int_endpoints(usbif, ep_addr)) {
+		hid_err(hdev, "Unexpected non-int endpoint\n");
+		return;
+	}
+
 	for (i = 0; i < ARRAY_SIZE(setup_arr); ++i) {
 		memcpy(send_buf, setup_arr[i], setup_arr_sizes[i]);
 
-- 
2.34.1
Re: [PATCH] HID: hid-thrustmaster: add endpoint check in thrustmaster_interrupts
Posted by Karol P 1 week, 5 days ago 
On Sun, 20 Oct 2024 at 16:47, Karol Przybylski <karprzy7@gmail.com> wrote:
>
> syzbot has found a type mismatch between a USB pipe and the transfer
> endpoint, which is triggered by the hid-thrustmaster driver[1].
> There is a number of similar, already fixed issues [2].
> In this case as in others, implementing check for endpoint type fixes the issue.
>
> [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470
> [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622
>
> Fixes: c49c33637802 ("HID: support for initialization of some Thrustmaster wheels")
> Reported-by: syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com
> Tested-by: syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com
> Signed-off-by: Karol Przybylski <karprzy7@gmail.com>
> ---
>  drivers/hid/hid-thrustmaster.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
> index cf1679b0d4fb..f948189394ef 100644
> --- a/drivers/hid/hid-thrustmaster.c
> +++ b/drivers/hid/hid-thrustmaster.c
> @@ -170,6 +170,13 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
>         ep = &usbif->cur_altsetting->endpoint[1];
>         b_ep = ep->desc.bEndpointAddress;
>
> +       /* Are the expected endpoints present? */
> +       u8 ep_addr[1] = {b_ep};
> +       if (!usb_check_int_endpoints(usbif, ep_addr)) {
> +               hid_err(hdev, "Unexpected non-int endpoint\n");
> +               return;
> +       }
> +
>         for (i = 0; i < ARRAY_SIZE(setup_arr); ++i) {
>                 memcpy(send_buf, setup_arr[i], setup_arr_sizes[i]);
>
> --
> 2.34.1
>

Any feedback regarding this patch is appreciated. I was wondering if I
should declare an additional u8 array or maybe just do inline
conversion.

Best regards,
Karol

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.