| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALEuBakRd8W-FvOiuih-CsEQH-CL_S1MBVVsOUj9g22zjxPEdQ@mail.gmail.com>
Date: Thu, 15 Jan 2026 22:17:23 +0800
From: 齐柯宇 <qikeyu2017@...il.com>
To: Bastien Nocera <hadess@...ess.net>
Cc: jikos@...nel.org, bentiss@...nel.org, lains@...eup.net, hansg@...nel.org,
linux-input@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
Hello,
Thank you for the review. I apologize for the format issue and will
resend the patch as plain text following the documentation guidelines.
Best regards,
Kery
Bastien Nocera <hadess@...ess.net> 于2026年1月15日周四 20:03写道:
>
> Hello,
>
> Patch looks good, but you will need to resend it as plain text, as per
> the submitting patches documentation:
> https://www.kernel.org/doc/html/v6.17/process/submitting-patches.html#no-mime-no-links-no-compression-no-attachments-just-plain-text
>
> Regards
>
> On Thu, 2026-01-15 at 01:48 +0800, 齐柯宇 wrote:
> > Add validation for report->maxfield and report->field[0] before
> > dereferencing to prevent NULL pointer dereference.
> >
> > The HID report descriptor is provided by the USB device firmware via
> > USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> > a descriptor that defines an OUTPUT report without any usages
> > (padding fields). When the HID subsystem parses such a descriptor:
> >
> > 1. hid_add_field() calls hid_register_report() to create the report
> > object and stores it in report_id_hash[id]
> > 2. Since parser->local.usage_index is 0, hid_add_field() returns
> > early
> > without calling hid_register_field() to add any fields
> > 3. Result: report exists with maxfield=0 and field[0]=NULL
> >
> > When hidpp_probe() is called for a device matching this driver:
> > - hidpp_validate_device() calls hidpp_get_report_length()
> > - hidpp_get_report_length() retrieves the report from hash (not
> > NULL)
> > - It then dereferences report->field[0]->report_count
> > - Since field[0] is NULL, this triggers a kernel NULL pointer
> > dereference
> >
> > Data flow from attacker to crash:
> > Malicious USB Device
> > |
> > v (USB GET_DESCRIPTOR control transfer)
> > hid_get_class_descriptor() -- reads HID report descriptor from
> > device
> > |
> > v
> > hid_parse_report() -- stores descriptor in hid->dev_rdesc
> > |
> > v
> > hid_open_report() -> hid_add_field()
> > | |
> > | v
> > | hid_register_report() -- creates report,
> > maxfield=0
> > | |
> > | v
> > | returns early if usage_index==0, no field added
> > |
> > v
> > hidpp_validate_device() -> hidpp_get_report_length()
> > |
> > v
> > report->field[0]->report_count -- NULL pointer dereference!
> >
> > This is triggerable by an attacker with physical access using a
> > malicious USB device (e.g., BadUSB, programmable USB development
> > boards).
> >
> > Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long
> > report length")
> > Signed-off-by: Kery Qi <qikeyu2017@...il.com>
> > ---
> > drivers/hid/hid-logitech-hidpp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-
> > logitech-hidpp.c
> > index d5011a5d0890..02ddbd658e89 100644
> > --- a/drivers/hid/hid-logitech-hidpp.c
> > +++ b/drivers/hid/hid-logitech-hidpp.c
> > @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct
> > hid_device *hdev, int id)
> >
> > re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> > report = re->report_id_hash[id];
> > - if (!report)
> > + if (!report || report->maxfield < 1 || !report->field[0])
> > return 0;
> >
> > return report->field[0]->report_count + 1;
> > --
> > 2.34.1
Powered by blists - more mailing lists