HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()

Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
hid-thrustmaster driver. This array is passed to usb_check_int_endpoints
function from usb.c core driver, which executes a for loop that iterates
over the elements of the passed array. Not finding a null element at the end of
the array, it tries to read the next, non-existent element, crashing the kernel.

To fix this, a 0 element was added at the end of the array to break the for
loop.

[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad

Reported-by: syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com
Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")
Signed-off-by: Túlio Fernandes <tuliomf09@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>

diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
index 6c3e758bbb09e3a2cec0b44d125d05a7e5b18ae6..3b81468a1df297b109a8f90dafb691605ce4cf1b 100644 (file)
--- a/drivers/hid/hid-thrustmaster.c
+++ b/drivers/hid/hid-thrustmaster.c
@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
        b_ep = ep->desc.bEndpointAddress;
 
        /* Are the expected endpoints present? */
-       u8 ep_addr[1] = {b_ep};
+       u8 ep_addr[2] = {b_ep, 0};
 
        if (!usb_check_int_endpoints(usbif, ep_addr)) {
                hid_err(hdev, "Unexpected non-int endpoint\n");