lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <qp120s01-q22q-52rr-97n2-or6o30n1qrqq@xreary.bet>
Date: Thu, 3 Jul 2025 09:38:27 +0200 (CEST)
From: Jiri Kosina <jikos@...nel.org>
To: Qasim Ijaz <qasdev00@...il.com>
cc: bentiss@...nel.org, gargaditya08@...e.com, jirislaby@...nel.org, 
    linux-input@...r.kernel.org, linux-kernel@...r.kernel.org, 
    stable@...r.kernel.org
Subject: Re: [PATCH v2] HID: appletb-kbd: fix memory corruption of
 input_handler_list

On Fri, 27 Jun 2025, Qasim Ijaz wrote:

> In appletb_kbd_probe an input handler is initialised and then registered
> with input core through input_register_handler(). When this happens input
> core will add the input handler (specifically its node) to the global
> input_handler_list. The input_handler_list is central to the functionality
> of input core and is traversed in various places in input core. An example
> of this is when a new input device is plugged in and gets registered with
> input core.
> 
> The input_handler in probe is allocated as device managed memory. If a
> probe failure occurs after input_register_handler() the input_handler
> memory is freed, yet it will remain in the input_handler_list. This
> effectively means the input_handler_list contains a dangling pointer
> to data belonging to a freed input handler.
> 
> This causes an issue when any other input device is plugged in - in my
> case I had an old PixArt HP USB optical mouse and I decided to
> plug it in after a failure occurred after input_register_handler().
> This lead to the registration of this input device via
> input_register_device which involves traversing over every handler
> in the corrupted input_handler_list and calling input_attach_handler(),
> giving each handler a chance to bind to newly registered device.
> 
> The core of this bug is a UAF which causes memory corruption of
> input_handler_list and to fix it we must ensure the input handler is
> unregistered from input core, this is done through
> input_unregister_handler().

Applied to hid.git#for-6.16/upstream-fixes, thanks!

-- 
Jiri Kosina
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ