| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALEuBakV4Uz3xyy8gbYFv8Tg+uA3hMCE+5Qrs8KH2EQw4T9Tsg@mail.gmail.com>
Date: Thu, 15 Jan 2026 23:20:35 +0800
From: 齐柯宇 <qikeyu2017@...il.com>
To: jikos@...nel.org, bentiss@...nel.org
Cc: Bastien Nocera <hadess@...ess.net>, lains@...eup.net, linux-input@...r.kernel.org,
linux-kernel@...r.kernel.org, hansg@...nel.org
Subject: Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
Hello,
Thanks for the feedback.
Best regards
Kery
Kery Qi <qikeyu2017@...il.com> 于2026年1月15日周四 22:24写道:
>
> Add validation for report->maxfield and report->field[0] before
> dereferencing to prevent NULL pointer dereference.
>
> The HID report descriptor is provided by the USB device firmware via
> USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> a descriptor that defines an OUTPUT report without any usages
> (padding fields). When the HID subsystem parses such a descriptor:
>
> 1. hid_add_field() calls hid_register_report() to create the report
> object and stores it in report_id_hash[id]
> 2. Since parser->local.usage_index is 0, hid_add_field() returns early
> without calling hid_register_field() to add any fields
> 3. Result: report exists with maxfield=0 and field[0]=NULL
>
> When hidpp_probe() is called for a device matching this driver:
> - hidpp_validate_device() calls hidpp_get_report_length()
> - hidpp_get_report_length() retrieves the report from hash (not NULL)
> - It then dereferences report->field[0]->report_count
> - Since field[0] is NULL, this triggers a kernel NULL pointer
> dereference
>
> Data flow from attacker to crash:
> Malicious USB Device
> |
> v (USB GET_DESCRIPTOR control transfer)
> hid_get_class_descriptor() -- reads HID report descriptor from device
> |
> v
> hid_parse_report() -- stores descriptor in hid->dev_rdesc
> |
> v
> hid_open_report() -> hid_add_field()
> | |
> | v
> | hid_register_report() -- creates report, maxfield=0
> | |
> | v
> | returns early if usage_index==0, no field added
> |
> v
> hidpp_validate_device() -> hidpp_get_report_length()
> |
> v
> report->field[0]->report_count -- NULL pointer dereference!
>
> This is triggerable by an attacker with physical access using a
> malicious USB device (e.g., BadUSB, programmable USB development
> boards).
>
> Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long report length")
> Signed-off-by: Kery Qi <qikeyu2017@...il.com>
> ---
> drivers/hid/hid-logitech-hidpp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
> index d5011a5d0890..02ddbd658e89 100644
> --- a/drivers/hid/hid-logitech-hidpp.c
> +++ b/drivers/hid/hid-logitech-hidpp.c
> @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
>
> re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> report = re->report_id_hash[id];
> - if (!report)
> + if (!report || report->maxfield < 1 || !report->field[0])
> return 0;
>
> return report->field[0]->report_count + 1;
> --
> 2.34.1
>
Powered by blists - more mailing lists