From: l1za0.sec@gmail.com
To: jikos@kernel.org, benjamin.tissoires@redhat.com
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv
Date: Tue, 21 Apr 2026 21:48:18 +0800 [thread overview]
Message-ID: <20260421134824.35027-1-l1za0.sec@gmail.com> (raw)
From: Haocheng Yu <l1za0.sec@gmail.com>
A general protection fault in u2fzero_recv is reported by a
modified Syzkaller-based kernel fuzzing tool we developed.
The cause is that u2fzero_probe() calls the u2fzero_fill_in_urb()
function but ignores its return value. When the urb setting fails,
dev->urb remains NULL, but u2fzero_probe() continues to run. When
`dev->urb->context = &ctx;` in u2fzero_recv() is executed, the
KASAN null pointer dereference crash will occur.
To fix this vulnerability, I added a check for the return value of
u2fzero_fill_in_urb() and aborted u2fzero_probe() on error. And I
added a NULL value check for dev->urb in u2fzero_recv() to further
ensure its integrity.
Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
drivers/hid/hid-u2fzero.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 744a91e6e78c..c51f6dd80635 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -134,6 +134,12 @@ static int u2fzero_recv(struct u2fzero_device *dev,
memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));
+ if (!dev->urb) {
+ hid_err(hdev, "recv called without initialized URB");
+ ret = -ENODEV;
+ goto err;
+ }
+
dev->urb->context = &ctx;
init_completion(&ctx.done);
@@ -341,7 +347,11 @@ static int u2fzero_probe(struct hid_device *hdev,
if (ret)
return ret;
- u2fzero_fill_in_urb(dev);
+ ret = u2fzero_fill_in_urb(dev);
+ if (ret) {
+ hid_hw_stop(hdev);
+ return ret;
+ }
dev->present = true;
base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
--
2.51.0
next reply other threads:[~2026-04-21 13:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 13:48 l1za0.sec [this message]
2026-05-21 14:27 ` [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv Benjamin Tissoires
2026-05-22 2:01 ` Li Zao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421134824.35027-1-l1za0.sec@gmail.com \
--to=l1za0.sec@gmail.com \
--cc=benjamin.tissoires@redhat.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.