From nobody Mon Feb  9 15:24:51 2026
Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com
 [209.85.160.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CC70329377
	for <linux-kernel@vger.kernel.org>; Wed, 14 Jan 2026 17:54:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768413276; cv=none;
 b=JKlLuwQbGmBvSRewioWwMWyIvGcx3pd2HnYnyQ6UMDJXNz2KS7O3ioCjHvtS2JLMc9mGI+jckEoQUidHQTiVv0ZahaB6sMGNbYzS+ObzJWNfd3kyOtk532XHLTXsvdj+mQ9pW8MSHY+jqlhszou0VFPY2HiGFg/qveI58FB453o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768413276; c=relaxed/simple;
	bh=Mr6ZawFdoY0cJZhJGTVos0y1SL4iN9Lhhnb7hU0Zd8k=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Content-Type;
 b=LrQeixayomk+c4xAH9effeKNs4gCg3LGFY+N8a8MAzn5VUl8qegr2AloTG2ytweRvKjP8LePhEdgH5ZByBFi8q+qfvMY/PEnhLh8C3tDnQj2Ssp3mHcixLz47KQiOwlOD6fgvGOL5NT8MM3kHxljk6XVeExotlqGygsnh3nCpmE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=lyya3wAC; arc=none smtp.client-ip=209.85.160.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="lyya3wAC"
Received: by mail-qt1-f175.google.com with SMTP id
 d75a77b69052e-50146483bf9so796221cf.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 14 Jan 2026 09:54:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768413274; x=1769018074;
 darn=vger.kernel.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=1TuyOYzoT85INzVMQ5KOj7mLYeVm9dS2xgxTRrKOEpI=;
        b=lyya3wACXUBz5E82n+PHj4P3ARY7FvaaEcpGQlWolmv9AN2OaSKSqnGeVRUWZqhnyr
         7Rk21EB0+y1Z980q+xeR4Q6WP8N0QVDttSTY84bm1KHjacEanBh0AXMhnkUhHYCxZJOo
         1N9ly/oKNGuNxwigVX1b/NYLEVkUeZpKhaQvFXdnnFz/O4d2VIwhdu5S3LkHyC4NviyH
         TdYa36cUMbLtoVrzDGf2AG6AU4GoXr7E0ZC3qiHyJ4UJv51QclmKv0l+FuxdsTvlF8Eq
         WnK+WVulsafHM2CiRQIwvRhKvCiXZN1dHeLy7rjmjaAkD4V9qZEQG2VyvoJRdRjiaDo5
         pBcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768413274; x=1769018074;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1TuyOYzoT85INzVMQ5KOj7mLYeVm9dS2xgxTRrKOEpI=;
        b=V1KlSB4LuV5FdjTA6x3lrjFSQ5B/Mx5S8emVGEjQLNLlOmKi2YeRbcVgiGxdLYwxef
         BmfzU8Hj0aO4E7zilI41tYbsDB+UVhp06I1Zol6hCLLa3xaTA3SR4IGU7mNyH5DHIuZO
         tFosurRN3uaIFxWUC9xDKR3tkDE0sKDpyJoM7ji6gpVEHCFDNE9qG10L7VswyrWsQY+j
         DhElTe5TL0z3/+g3rwEDCUdJkr9fSLldEZE4nLLQlXi9bLhErM0YqOUOFaE2oEI+krzf
         M2mGPeXVCnuqcgDj7sJyWBxDqlx9y8IdzrJHTGnIdDe7VO03h4dqSFy/6s3Fn/kFX2bl
         Ed3g==
X-Gm-Message-State: AOJu0YxP7nJ3i6RfDy/btZZBkwjPDDuEkLA6NSPSSdbPs7Ebj7Cpfbyk
	vNjDuzKsU4lYgZjrratEI/h8zD5mPsbF2n17NFUKQRvw4cbX96MOSSh/TgX4OZ6DL7eFJKK9r9s
	2B1AWAh/uBfmpXmUdI3qX1kC8rRn+Ssj1ioylEOJt1RmF8LzN
X-Gm-Gg: AY/fxX6g9evFa8RKkxfVvkn47etJS507fBCslI0/hRZmuOYdVFlPjcAnvZtt8pEsj4x
	t5vG6jDrpzHb2nMfcGX+gwOV2VwnZu5IdUO0XuDjUm0af0jFxzkbPlW2zvCb2qxZV3pmvX2gowW
	Zkqs1b4uvLnefFxWyPaajaJ3ily49lrgPKv0abR6bezEi+iZ1C/G/P9mv1otiWc9vXQr6DSvt4J
	H4rLPUAajFw5vSXV+6NaLaJmq9mvTwXTurBzoGHKWuCy5X6NQpbAf2+2hHuyCSTLG0gUw==
X-Received: by 2002:a05:622a:15d1:b0:4ed:67bc:50de with SMTP id
 d75a77b69052e-50148211f20mr42972231cf.24.1768413273894; Wed, 14 Jan 2026
 09:54:33 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: 
 <CALEuBa=E1YSo1oVxd67rBf+6bC28zQZi5HBghMmcPFHKQn2+UA@mail.gmail.com>
In-Reply-To: 
 <CALEuBa=E1YSo1oVxd67rBf+6bC28zQZi5HBghMmcPFHKQn2+UA@mail.gmail.com>
From: =?UTF-8?B?6b2Q5p+v5a6H?= <qikeyu2017@gmail.com>
Date: Thu, 15 Jan 2026 01:54:23 +0800
X-Gm-Features: AZwV_QieZ6A678e1fB5u8Ijn-XkpOeWWFnmyd1OWnaiDo49gufenY74rN5vDF3k
Message-ID: 
 <CALEuBan0ktNs0df8jJ=F8vtDTV7kdRiadxb75CEt8gPEt+s0AA@mail.gmail.com>
Subject: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in
 hidpp_get_report_length()
To: linux-kernel@vger.kernel.org, linux-input@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add validation for report->maxfield and report->field[0] before
dereferencing to prevent NULL pointer dereference.

The HID report descriptor is provided by the USB device firmware via
USB control transfer (GET_DESCRIPTOR). A malicious device can craft
a descriptor that defines an OUTPUT report without any usages
(padding fields). When the HID subsystem parses such a descriptor:

1. hid_add_field() calls hid_register_report() to create the report
   object and stores it in report_id_hash[id]
2. Since parser->local.usage_index is 0, hid_add_field() returns early
   without calling hid_register_field() to add any fields
3. Result: report exists with maxfield=3D0 and field[0]=3DNULL

When hidpp_probe() is called for a device matching this driver:
  - hidpp_validate_device() calls hidpp_get_report_length()
  - hidpp_get_report_length() retrieves the report from hash (not NULL)
  - It then dereferences report->field[0]->report_count
  - Since field[0] is NULL, this triggers a kernel NULL pointer
    dereference

Data flow from attacker to crash:
  Malicious USB Device
       |
       v (USB GET_DESCRIPTOR control transfer)
  hid_get_class_descriptor() -- reads HID report descriptor from device
       |
       v
  hid_parse_report() -- stores descriptor in hid->dev_rdesc
       |
       v
  hid_open_report() -> hid_add_field()
       |                    |
       |                    v
       |              hid_register_report() -- creates report, maxfield=3D0
       |                    |
       |                    v
       |              returns early if usage_index=3D=3D0, no field added
       |
       v
  hidpp_validate_device() -> hidpp_get_report_length()
       |
       v
  report->field[0]->report_count -- NULL pointer dereference!

This is triggerable by an attacker with physical access using a
malicious USB device (e.g., BadUSB, programmable USB development
boards).

Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long
report length")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 drivers/hid/hid-logitech-hidpp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hi=
dpp.c
index d5011a5d0890..02ddbd658e89 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct
hid_device *hdev, int id)

        re =3D &(hdev->report_enum[HID_OUTPUT_REPORT]);
        report =3D re->report_id_hash[id];
-       if (!report)
+       if (!report || report->maxfield < 1 || !report->field[0])
                return 0;

        return report->field[0]->report_count + 1;
--
2.34.1