lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aGZN-0aYscZMYpld@gmail.com>
Date: Thu, 3 Jul 2025 10:31:39 +0100
From: Qasim Ijaz <qasdev00@...il.com>
To: Jiri Kosina <jikos@...nel.org>
Cc: bentiss@...nel.org, gargaditya08@...e.com, jirislaby@...nel.org,
	linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH v2] HID: appletb-kbd: fix memory corruption of
 input_handler_list

On Thu, Jul 03, 2025 at 09:38:27AM +0200, Jiri Kosina wrote:
> On Fri, 27 Jun 2025, Qasim Ijaz wrote:
> 
> > In appletb_kbd_probe an input handler is initialised and then registered
> > with input core through input_register_handler(). When this happens input
> > core will add the input handler (specifically its node) to the global
> > input_handler_list. The input_handler_list is central to the functionality
> > of input core and is traversed in various places in input core. An example
> > of this is when a new input device is plugged in and gets registered with
> > input core.
> > 
> > The input_handler in probe is allocated as device managed memory. If a
> > probe failure occurs after input_register_handler() the input_handler
> > memory is freed, yet it will remain in the input_handler_list. This
> > effectively means the input_handler_list contains a dangling pointer
> > to data belonging to a freed input handler.
> > 
> > This causes an issue when any other input device is plugged in - in my
> > case I had an old PixArt HP USB optical mouse and I decided to
> > plug it in after a failure occurred after input_register_handler().
> > This lead to the registration of this input device via
> > input_register_device which involves traversing over every handler
> > in the corrupted input_handler_list and calling input_attach_handler(),
> > giving each handler a chance to bind to newly registered device.
> > 
> > The core of this bug is a UAF which causes memory corruption of
> > input_handler_list and to fix it we must ensure the input handler is
> > unregistered from input core, this is done through
> > input_unregister_handler().
> 
> Applied to hid.git#for-6.16/upstream-fixes, thanks!

Thanks Jiri, would it also be possible to apply this one too: 
<https://lore.kernel.org/all/20250624125256.20473-1-qasdev00@gmail.com/>

Its a bug fix I sent before this a while back but I think it may have been buried
deep down in your inbox causing you to miss it.

Thanks,
Qasim
> 
> -- 
> Jiri Kosina
> SUSE Labs
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ