| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <09efd83ea70771f8ce1feaf7d7172b72970d8d55.camel@hadess.net>
Date: Thu, 15 Jan 2026 13:03:03 +0100
From: Bastien Nocera <hadess@...ess.net>
To: 齐柯宇 <qikeyu2017@...il.com>,
jikos@...nel.org, bentiss@...nel.org
Cc: lains@...eup.net, hansg@...nel.org, linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in
hidpp_get_report_length()
Hello,
Patch looks good, but you will need to resend it as plain text, as per
the submitting patches documentation:
https://www.kernel.org/doc/html/v6.17/process/submitting-patches.html#no-mime-no-links-no-compression-no-attachments-just-plain-text
Regards
On Thu, 2026-01-15 at 01:48 +0800, 齐柯宇 wrote:
> Add validation for report->maxfield and report->field[0] before
> dereferencing to prevent NULL pointer dereference.
>
> The HID report descriptor is provided by the USB device firmware via
> USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> a descriptor that defines an OUTPUT report without any usages
> (padding fields). When the HID subsystem parses such a descriptor:
>
> 1. hid_add_field() calls hid_register_report() to create the report
> object and stores it in report_id_hash[id]
> 2. Since parser->local.usage_index is 0, hid_add_field() returns
> early
> without calling hid_register_field() to add any fields
> 3. Result: report exists with maxfield=0 and field[0]=NULL
>
> When hidpp_probe() is called for a device matching this driver:
> - hidpp_validate_device() calls hidpp_get_report_length()
> - hidpp_get_report_length() retrieves the report from hash (not
> NULL)
> - It then dereferences report->field[0]->report_count
> - Since field[0] is NULL, this triggers a kernel NULL pointer
> dereference
>
> Data flow from attacker to crash:
> Malicious USB Device
> |
> v (USB GET_DESCRIPTOR control transfer)
> hid_get_class_descriptor() -- reads HID report descriptor from
> device
> |
> v
> hid_parse_report() -- stores descriptor in hid->dev_rdesc
> |
> v
> hid_open_report() -> hid_add_field()
> | |
> | v
> | hid_register_report() -- creates report,
> maxfield=0
> | |
> | v
> | returns early if usage_index==0, no field added
> |
> v
> hidpp_validate_device() -> hidpp_get_report_length()
> |
> v
> report->field[0]->report_count -- NULL pointer dereference!
>
> This is triggerable by an attacker with physical access using a
> malicious USB device (e.g., BadUSB, programmable USB development
> boards).
>
> Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long
> report length")
> Signed-off-by: Kery Qi <qikeyu2017@...il.com>
> ---
> drivers/hid/hid-logitech-hidpp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-
> logitech-hidpp.c
> index d5011a5d0890..02ddbd658e89 100644
> --- a/drivers/hid/hid-logitech-hidpp.c
> +++ b/drivers/hid/hid-logitech-hidpp.c
> @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct
> hid_device *hdev, int id)
>
> re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> report = re->report_id_hash[id];
> - if (!report)
> + if (!report || report->maxfield < 1 || !report->field[0])
> return 0;
>
> return report->field[0]->report_count + 1;
> --
> 2.34.1
Powered by blists - more mailing lists