drivers/hid/hid-logitech-hidpp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Add validation for report->maxfield and report->field[0] before
dereferencing to prevent NULL pointer dereference.
The HID report descriptor is provided by the USB device firmware via
USB control transfer (GET_DESCRIPTOR). A malicious device can craft
a descriptor that defines an OUTPUT report without any usages
(padding fields). When the HID subsystem parses such a descriptor:
1. hid_add_field() calls hid_register_report() to create the report
object and stores it in report_id_hash[id]
2. Since parser->local.usage_index is 0, hid_add_field() returns early
without calling hid_register_field() to add any fields
3. Result: report exists with maxfield=0 and field[0]=NULL
When hidpp_probe() is called for a device matching this driver:
- hidpp_validate_device() calls hidpp_get_report_length()
- hidpp_get_report_length() retrieves the report from hash (not NULL)
- It then dereferences report->field[0]->report_count
- Since field[0] is NULL, this triggers a kernel NULL pointer
dereference
Data flow from attacker to crash:
Malicious USB Device
|
v (USB GET_DESCRIPTOR control transfer)
hid_get_class_descriptor() -- reads HID report descriptor from device
|
v
hid_parse_report() -- stores descriptor in hid->dev_rdesc
|
v
hid_open_report() -> hid_add_field()
| |
| v
| hid_register_report() -- creates report, maxfield=0
| |
| v
| returns early if usage_index==0, no field added
|
v
hidpp_validate_device() -> hidpp_get_report_length()
|
v
report->field[0]->report_count -- NULL pointer dereference!
This is triggerable by an attacker with physical access using a
malicious USB device (e.g., BadUSB, programmable USB development
boards).
Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long report length")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
drivers/hid/hid-logitech-hidpp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index d5011a5d0890..02ddbd658e89 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
report = re->report_id_hash[id];
- if (!report)
+ if (!report || report->maxfield < 1 || !report->field[0])
return 0;
return report->field[0]->report_count + 1;
--
2.34.1Hello,
Thanks for the feedback.
Best regards
Kery
Kery Qi <qikeyu2017@gmail.com> 于2026年1月15日周四 22:24写道:
>
> Add validation for report->maxfield and report->field[0] before
> dereferencing to prevent NULL pointer dereference.
>
> The HID report descriptor is provided by the USB device firmware via
> USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> a descriptor that defines an OUTPUT report without any usages
> (padding fields). When the HID subsystem parses such a descriptor:
>
> 1. hid_add_field() calls hid_register_report() to create the report
> object and stores it in report_id_hash[id]
> 2. Since parser->local.usage_index is 0, hid_add_field() returns early
> without calling hid_register_field() to add any fields
> 3. Result: report exists with maxfield=0 and field[0]=NULL
>
> When hidpp_probe() is called for a device matching this driver:
> - hidpp_validate_device() calls hidpp_get_report_length()
> - hidpp_get_report_length() retrieves the report from hash (not NULL)
> - It then dereferences report->field[0]->report_count
> - Since field[0] is NULL, this triggers a kernel NULL pointer
> dereference
>
> Data flow from attacker to crash:
> Malicious USB Device
> |
> v (USB GET_DESCRIPTOR control transfer)
> hid_get_class_descriptor() -- reads HID report descriptor from device
> |
> v
> hid_parse_report() -- stores descriptor in hid->dev_rdesc
> |
> v
> hid_open_report() -> hid_add_field()
> | |
> | v
> | hid_register_report() -- creates report, maxfield=0
> | |
> | v
> | returns early if usage_index==0, no field added
> |
> v
> hidpp_validate_device() -> hidpp_get_report_length()
> |
> v
> report->field[0]->report_count -- NULL pointer dereference!
>
> This is triggerable by an attacker with physical access using a
> malicious USB device (e.g., BadUSB, programmable USB development
> boards).
>
> Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long report length")
> Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
> ---
> drivers/hid/hid-logitech-hidpp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
> index d5011a5d0890..02ddbd658e89 100644
> --- a/drivers/hid/hid-logitech-hidpp.c
> +++ b/drivers/hid/hid-logitech-hidpp.c
> @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
>
> re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> report = re->report_id_hash[id];
> - if (!report)
> + if (!report || report->maxfield < 1 || !report->field[0])
> return 0;
>
> return report->field[0]->report_count + 1;
> --
> 2.34.1
>
On Thu, 2026-01-15 at 22:24 +0800, Kery Qi wrote: <snip> > - if (!report) > + if (!report || report->maxfield < 1 || !report->field[0]) A partial fix already exists in the for-next branch: https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git/commit/?h=for-next&id=1547d41f9f19d691c2c9ce4c29f746297baef9e9 You'll probably want to rebase and adapt your fix. See also this review by GregKH for v1: https://patchwork.kernel.org/project/linux-input/patch/20260109105912.3141960-2-gnoack@google.com/ Cheers > return 0; > > return report->field[0]->report_count + 1;
© 2016 - 2026 Red Hat, Inc.