| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260115142417.243-1-qikeyu2017@gmail.com>
Date: Thu, 15 Jan 2026 22:24:16 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: jikos@...nel.org,
bentiss@...nel.org
Cc: lains@...eup.net,
hadess@...ess.net,
hansg@...nel.org,
linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org,
Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
Add validation for report->maxfield and report->field[0] before
dereferencing to prevent NULL pointer dereference.
The HID report descriptor is provided by the USB device firmware via
USB control transfer (GET_DESCRIPTOR). A malicious device can craft
a descriptor that defines an OUTPUT report without any usages
(padding fields). When the HID subsystem parses such a descriptor:
1. hid_add_field() calls hid_register_report() to create the report
object and stores it in report_id_hash[id]
2. Since parser->local.usage_index is 0, hid_add_field() returns early
without calling hid_register_field() to add any fields
3. Result: report exists with maxfield=0 and field[0]=NULL
When hidpp_probe() is called for a device matching this driver:
- hidpp_validate_device() calls hidpp_get_report_length()
- hidpp_get_report_length() retrieves the report from hash (not NULL)
- It then dereferences report->field[0]->report_count
- Since field[0] is NULL, this triggers a kernel NULL pointer
dereference
Data flow from attacker to crash:
Malicious USB Device
|
v (USB GET_DESCRIPTOR control transfer)
hid_get_class_descriptor() -- reads HID report descriptor from device
|
v
hid_parse_report() -- stores descriptor in hid->dev_rdesc
|
v
hid_open_report() -> hid_add_field()
| |
| v
| hid_register_report() -- creates report, maxfield=0
| |
| v
| returns early if usage_index==0, no field added
|
v
hidpp_validate_device() -> hidpp_get_report_length()
|
v
report->field[0]->report_count -- NULL pointer dereference!
This is triggerable by an attacker with physical access using a
malicious USB device (e.g., BadUSB, programmable USB development
boards).
Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long report length")
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
drivers/hid/hid-logitech-hidpp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index d5011a5d0890..02ddbd658e89 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
report = re->report_id_hash[id];
- if (!report)
+ if (!report || report->maxfield < 1 || !report->field[0])
return 0;
return report->field[0]->report_count + 1;
--
2.34.1
Powered by blists - more mailing lists