From nobody Sat Feb 7 22:55:24 2026 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C8E93A1CE5 for ; Thu, 15 Jan 2026 14:24:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768487066; cv=none; b=D3oneD732lNRlq3QFiBOlzkD5Z115U1PvPT1/ehiY5FsZqF0wegiJsLde+WECOw037sVTlr/wnqJ7ETcnYNkSncALlUxV8NPywHOw+Dp1Tg1OQhW81rFZR0PhP5W5+yikZkYGYD3eAPefRVCVYoVYFW6Wq6mrtJvwrvZOtWfIIM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768487066; c=relaxed/simple; bh=YDTfphG9M7s5fXwD2EF3523do6PVYLEQsWkAXMkRqtc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IqeANRoa6DFHt1zKcz3i1YY6Dcnv74P+zjpplT2qk6bjtKBUyeCOr0yHEk5B+3r57isfIzralNWvtKubbtL42ugqdcVgf1kq/UD1HxHCcStBM9jQhlJfF+e0sbp3uQaaQpoib+0pw9WCCVZOdXLJ46jQyxn63kvBX30FpXryfmQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PxDFF3OV; arc=none smtp.client-ip=209.85.210.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PxDFF3OV" Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-81f3d6990d6so528657b3a.3 for ; Thu, 15 Jan 2026 06:24:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768487065; x=1769091865; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=hdyg3fxehckQBrnIgZSWZgEEopAWztU8n5zyqQvE2rs=; b=PxDFF3OVgG5e+BDBQ8Y+gyMtutZRU8QaEQZ4OQwRTW9d6ZxlGJY70niAayPSL6vNSe UsCfC0Rqbtl7Us0bQoO3fgRp/edabkGajUij9TIE17ESCM/MhRSWF+dE4d/MyHtW6QLi 8Qj2CvVwFRF0YjdRg1FqsbR3BfMI1BMoeOlr9hiiGFzL0dS3Asq6gbCwppD9+l+Md6sM Zrb7uWJDcGuH1UP4e7eqtWn5l5d9xZF0mPztn0y8CsJysHS8LjyZqnCSHMDwJtjQ2v4p e3hKUTSaNQeJl7/MT3enbqSlrT8VDL4eAgJM/GmkROuHQmrOwRM1fvD6b/S+NxzBJXev mXzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768487065; x=1769091865; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hdyg3fxehckQBrnIgZSWZgEEopAWztU8n5zyqQvE2rs=; b=H5lHD/KEbo6Mg+k05y825TVV9pU2KRq7mYzGSU5UtHsrnfffaZzbAH5AMjjHVtaKCP CeKafoI71vJ/5GBO0K7p7X7vMwxQbE0VNK7rBa8HlQXhUxlG1YNqmDfTvrzwVXkHTwJZ tmFSg06V6WZxSAOjRMajwif9V/X/VCck0es1oK6A6wUhB/21wDyK1HoP4I7Py7p7W1OD nx3bP4DaqkrL/z2ayRuePwvqDMsyYEGXj+pjHlcsPl9Ig4N1Wxe0ObBXsLGYxrxD5G0/ TQsQccE2b9gw7JLNLR95sGlcl5wmQN2qjYCGXcke70q82V813jcb8Lo/sI2hnm3v4YjE xxFg== X-Forwarded-Encrypted: i=1; AJvYcCXqEMU7RX9vDAv8LrES5BmuWKR7kgLEUAsgX93S/ZHht3kvOEwhGMY9BYlbTtA8wFPsGFIPgcajpTJicPA=@vger.kernel.org X-Gm-Message-State: AOJu0YzipeIaF/5Y8QburR0lFQf0WNAavvbR4FqiRXC1/8lS3XXtUliB EaEsLlAEylH81W+SRRx5osSxjAeDI8YjeTFtuQTkVNc0OgaBlggfP4gQKa+ikKWohMwyO7A= X-Gm-Gg: AY/fxX4N27M7AC1Y9bwW8E1/1Hpg7VDtVLT0E9oxa0RwooN9aXF2UAohxEdJIj6ocYV /TVL/pPUdnUkOcHs+yCYaw7GUZZZBUWQXohhNlCCVBdNjYioqmRhFiyrl17wb/e0mRGF6JmtT1l 1tIUTELZfK/mgLZjkeE9wBhJ4G82WYaQ7eNFHGIqdDoyq5OanECDWTnuSeoE6iYnqHLjqDR1YFH CNIVU2zwGflaaQoHF4CkRJfcGmXxocqxUeTiHmFlSQQpzjzk4yzRBeaVpLD0oVuqRLUy8gaek+Q 7XBw/42oAQRwDtvZtVakifqsOiCCseH0M9q8cigzIsBqR+vc9C+rG5OwYqV6rCkRavGhyD9ahPV r43GE9uZAYexutA5StU3LslZuXaR5mVanqP/NCPfkM7csz6HmdxiuUrm2jmfbktUsXSWH1rBFka G7vCUVmFvLTcKCSQ7Afcm13JuBOvZ+MoH6nCVNSI3gxcs= X-Received: by 2002:a05:6a00:1da1:b0:81d:a1b1:7313 with SMTP id d2e1a72fcca58-81f83d477bamr5201620b3a.53.1768487064699; Thu, 15 Jan 2026 06:24:24 -0800 (PST) Received: from DESKTOP-BKIPFGN ([159.226.94.63]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81f8e679ecesm2668007b3a.55.2026.01.15.06.24.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 06:24:24 -0800 (PST) From: Kery Qi To: jikos@kernel.org, bentiss@kernel.org Cc: lains@riseup.net, hadess@hadess.net, hansg@kernel.org, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, Kery Qi Subject: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length() Date: Thu, 15 Jan 2026 22:24:16 +0800 Message-ID: <20260115142417.243-1-qikeyu2017@gmail.com> X-Mailer: git-send-email 2.50.1.windows.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add validation for report->maxfield and report->field[0] before dereferencing to prevent NULL pointer dereference. The HID report descriptor is provided by the USB device firmware via USB control transfer (GET_DESCRIPTOR). A malicious device can craft a descriptor that defines an OUTPUT report without any usages (padding fields). When the HID subsystem parses such a descriptor: 1. hid_add_field() calls hid_register_report() to create the report object and stores it in report_id_hash[id] 2. Since parser->local.usage_index is 0, hid_add_field() returns early without calling hid_register_field() to add any fields 3. Result: report exists with maxfield=3D0 and field[0]=3DNULL When hidpp_probe() is called for a device matching this driver: - hidpp_validate_device() calls hidpp_get_report_length() - hidpp_get_report_length() retrieves the report from hash (not NULL) - It then dereferences report->field[0]->report_count - Since field[0] is NULL, this triggers a kernel NULL pointer dereference Data flow from attacker to crash: Malicious USB Device | v (USB GET_DESCRIPTOR control transfer) hid_get_class_descriptor() -- reads HID report descriptor from device | v hid_parse_report() -- stores descriptor in hid->dev_rdesc | v hid_open_report() -> hid_add_field() | | | v | hid_register_report() -- creates report, maxfield=3D0 | | | v | returns early if usage_index=3D=3D0, no field added | v hidpp_validate_device() -> hidpp_get_report_length() | v report->field[0]->report_count -- NULL pointer dereference! This is triggerable by an attacker with physical access using a malicious USB device (e.g., BadUSB, programmable USB development boards). Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long repor= t length") Signed-off-by: Kery Qi --- drivers/hid/hid-logitech-hidpp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hi= dpp.c index d5011a5d0890..02ddbd658e89 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device = *hdev, int id) =20 re =3D &(hdev->report_enum[HID_OUTPUT_REPORT]); report =3D re->report_id_hash[id]; - if (!report) + if (!report || report->maxfield < 1 || !report->field[0]) return 0; =20 return report->field[0]->report_count + 1; --=20 2.34.1