From patchwork Sun Oct 20 14:47:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Karol Przybylski X-Patchwork-Id: 13843108 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D3F68D3C92A for ; Sun, 20 Oct 2024 14:49:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=jKc4HUiSL08fbl+1Cp0m4Wtmx7X/6lUCNDJ1T+im9NM=; b=NOA6zTJynZ4nvDejn5C96ogMEt RdN/4pzpx2qSAWYNwjL/wrrJ6OlnZNaPH4Ty/QSYVFyIKbubdsd5mVrz28+AKS6LWCFdyjLkvqLGc 0s0DjcuiMu0+B3aFX9ekmJPEI5Qkn+WTagRpXFyw97IHvEn/4jUOTd5lKdKIweRjXXfgkqIRa4mHu D45PBQffoKr/qeFU6OP4uLGYRtcXAYUbUCo82Aq+2xv9TvLsTsAfzTf6L3f7AlGNh89F/tql7J2GP gZ5eV+RnR9yz3Z2yfn5oQthpdGEUa+JRTDOstSxOwsm5B+i6arlrWx3oVU+9/HXaXDHJuuzjIsote HJZaObPg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t2XFD-000000050nJ-2xOh; Sun, 20 Oct 2024 14:49:23 +0000 Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t2XDk-000000050iB-0T3w for linux-arm-kernel@lists.infradead.org; Sun, 20 Oct 2024 14:47:53 +0000 Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-5c96df52c52so4668787a12.1 for ; Sun, 20 Oct 2024 07:47:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729435670; x=1730040470; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jKc4HUiSL08fbl+1Cp0m4Wtmx7X/6lUCNDJ1T+im9NM=; b=BryNIvyp25ycrhouChNEtEmeRAuC4SaATj4LXPaANBzUeWri47yjV2668TwdFhTW4q mi7PrDUlHR1Dple4fK16nQgIR0/XCcAVdHavj9R10FRrg5DIKNjDJXMZh6GYT7K9mfVn yY/Sd9TkHfHH7rWkyUvc4cMqPDxosZBCiY1APgsVpN710C0HvXDeYG7sW2Lex/zvKbLI oSeBjtowbVncmDDA/CsMHroEtEZfR7T9E70debZurrxLbwqKfov9b05ph2sreimkd+xf cs3po7F4McFaBbZuSba07KmeeIKK5JEDG8cGATpYZLetbgyULhL55+BU8jZvEBZRmIJi hujA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729435670; x=1730040470; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jKc4HUiSL08fbl+1Cp0m4Wtmx7X/6lUCNDJ1T+im9NM=; b=Wg+hkrwvbRqNbvwiDNz37ERnSYdprioWuk6FLAtBZzEGTmVH3bnVLaomP63B8+mOd5 ah7Cp/AcCIRAotiBGt5d0s8psFIEIozj2xdPdT9afYpYvFXrTtvbHcy7TSsERK+LTOzc tTrNv2/ae//z5CJhdL0KrgqJSFPTU3wxImNk3RIa1SvCqiLEcjrCk3XZHGHV/y4c2RTc Zjxgi0+hmzXd2yBrdk4MqAB08zVZ+wYtV/xRYKMdGtWfx04l1EsgarFFfSBXt3dyuK06 cU1qTe8f4d7i8ePNHwDPgyFjG0HobbD7AEtXUZowP/TsTb/yD9cGN3rV4JBp/x9D6jm7 426A== X-Forwarded-Encrypted: i=1; AJvYcCVOMIn4XFcrQh6pA5e7IYShXXz3fw8Cf+0rWCsTphDXUlDHgawz+vYbSgf/jvfMu2bSSG1CUrNUInr+jZ3tJFsc@lists.infradead.org X-Gm-Message-State: AOJu0YyjbWAaUDwFkpAJb9ev+CJmVxAiqyHWdiahlhxiEreDRoM04sJp yhHiNw7vj/EULK0hIy9Ns4vsaf8Mg5Asc1c1Dd8Qj0G4gtu89O8g X-Google-Smtp-Source: AGHT+IGHD3C7WMAfwu034gemcUPBTbi4GTHeY+VlhD+dixphZLpFTmlYZV+o5j5E5ifFLaLvCDDMXw== X-Received: by 2002:a05:6402:34d4:b0:5cb:6729:feaf with SMTP id 4fb4d7f45d1cf-5cb672a12cbmr1857651a12.16.1729435669814; Sun, 20 Oct 2024 07:47:49 -0700 (PDT) Received: from localhost.localdomain ([83.168.79.145]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5cb6696b525sm945788a12.16.2024.10.20.07.47.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Oct 2024 07:47:48 -0700 (PDT) From: Karol Przybylski To: jikos@kernel.org, bentiss@kernel.org, mcoquelin.stm32@gmail.com, alexandre.torgue@foss.st.com Cc: Karol Przybylski , linux-input@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com Subject: [PATCH] HID: hid-thrustmaster: add endpoint check in thrustmaster_interrupts Date: Sun, 20 Oct 2024 16:47:36 +0200 Message-Id: <20241020144736.367420-1-karprzy7@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241020_074752_170621_FD5FD39E X-CRM114-Status: GOOD ( 12.07 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org syzbot has found a type mismatch between a USB pipe and the transfer endpoint, which is triggered by the hid-thrustmaster driver[1]. There is a number of similar, already fixed issues [2]. In this case as in others, implementing check for endpoint type fixes the issue. [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470 [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622 Fixes: c49c33637802 ("HID: support for initialization of some Thrustmaster wheels") Reported-by: syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com Tested-by: syzbot+040e8b3db6a96908d470@syzkaller.appspotmail.com Signed-off-by: Karol Przybylski --- drivers/hid/hid-thrustmaster.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c index cf1679b0d4fb..f948189394ef 100644 --- a/drivers/hid/hid-thrustmaster.c +++ b/drivers/hid/hid-thrustmaster.c @@ -170,6 +170,13 @@ static void thrustmaster_interrupts(struct hid_device *hdev) ep = &usbif->cur_altsetting->endpoint[1]; b_ep = ep->desc.bEndpointAddress; + /* Are the expected endpoints present? */ + u8 ep_addr[1] = {b_ep}; + if (!usb_check_int_endpoints(usbif, ep_addr)) { + hid_err(hdev, "Unexpected non-int endpoint\n"); + return; + } + for (i = 0; i < ARRAY_SIZE(setup_arr); ++i) { memcpy(send_buf, setup_arr[i], setup_arr_sizes[i]);