| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <68CBB472-565A-4CA8-9ECF-E0F278B10F19@gmail.com>
Date: Fri, 18 Jul 2025 13:16:41 +1000
From: Orlando Chamberlain <orlandoch.dev@...il.com>
To: Qasim Ijaz <qasdev00@...il.com>
Cc: jikos@...nel.org, bentiss@...nel.org, gargaditya08@...e.com,
linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] HID: apple: validate feature-report field count to prevent NULL pointer dereference
Hi Qasim,
> On 14 Jul 2025, at 9:31 am, Qasim Ijaz <qasdev00@...il.com> wrote:
> ...
> [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI
> [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
> [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)
> [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210
> [ 15.165691] Call Trace:
> [ 15.165691] <TASK>
> [ 15.165691] apple_probe+0x571/0xa20
> [ 15.165691] hid_device_probe+0x2e2/0x6f0
> [ 15.165691] really_probe+0x1ca/0x5c0
> [ 15.165691] __driver_probe_device+0x24f/0x310
> [ 15.165691] driver_probe_device+0x4a/0xd0
> [ 15.165691] __device_attach_driver+0x169/0x220
> [ 15.165691] bus_for_each_drv+0x118/0x1b0
> [ 15.165691] __device_attach+0x1d5/0x380
> [ 15.165691] device_initial_probe+0x12/0x20
> [ 15.165691] bus_probe_device+0x13d/0x180
> [ 15.165691] device_add+0xd87/0x1510
> [...]
>
> To fix this issue we should validate the number of fields that the
> backlight and power reports have and if they do not have the required
> number of fields then bail.
>
> Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs")
> Cc: stable@...r.kernel.org
> Signed-off-by: Qasim Ijaz <qasdev00@...il.com>
I haven't had a chance to test this on my laptop but Aditya has the same Macbook model anyway. As long as this fixes the null deref you got with the spoofed hid device in qemu, this seems fine.
Reviewed-by: Orlando Chamberlain <orlandoch.dev@...il.com>
> ---
> drivers/hid/hid-apple.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
> index ed34f5cd5a91..183229ae5f02 100644
> --- a/drivers/hid/hid-apple.c
> +++ b/drivers/hid/hid-apple.c
> @@ -890,7 +890,8 @@ static int apple_magic_backlight_init(struct hid_device *hdev)
> backlight->brightness = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_BRIGHTNESS];
> backlight->power = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_POWER];
>
> - if (!backlight->brightness || !backlight->power)
> + if (!backlight->brightness || backlight->brightness->maxfield < 2 ||
> + !backlight->power || backlight->power->maxfield < 2)
> return -ENODEV;
>
> backlight->cdev.name = ":white:" LED_FUNCTION_KBD_BACKLIGHT;
> --
> 2.39.5
>
Powered by blists - more mailing lists