* [PATCH] Input: uinput/uhid - disallow control characters in phys paths
@ 2026-07-17 4:49 Peter Hutterer
2026-07-17 5:07 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Peter Hutterer @ 2026-07-17 4:49 UTC (permalink / raw)
To: David Rheinsberg, Jiri Kosina, Benjamin Tissoires,
Dmitry Torokhov
Cc: linux-input, linux-kernel, Peter Hutterer
There is no good reason to support those, no physical device will ever
produce those. Allowing \n in phys previously triggered CVE-2026-50292
in libinput - there the PHYS udev property value was used as part of
another udev property value. The linebreak then caused the property
to be split across two lines, allowing uinput devices to inject
malicious properties. While the bug is squarely inlibinput's court
there still isn't a good reason for control characters in uinput/uhid.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
drivers/hid/uhid.c | 1 +
drivers/input/misc/uinput.c | 1 +
include/linux/input.h | 15 +++++++++++++++
3 files changed, 17 insertions(+)
diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
index 37b60c3aaf66..baf1fe8290f7 100644
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -513,16 +513,17 @@ static int uhid_dev_create2(struct uhid_device *uhid,
ret = PTR_ERR(hid);
goto err_free;
}
BUILD_BUG_ON(sizeof(hid->name) != sizeof(ev->u.create2.name));
strscpy(hid->name, ev->u.create2.name, sizeof(hid->name));
BUILD_BUG_ON(sizeof(hid->phys) != sizeof(ev->u.create2.phys));
strscpy(hid->phys, ev->u.create2.phys, sizeof(hid->phys));
+ input_sanitize_phys(hid->phys);
BUILD_BUG_ON(sizeof(hid->uniq) != sizeof(ev->u.create2.uniq));
strscpy(hid->uniq, ev->u.create2.uniq, sizeof(hid->uniq));
hid->ll_driver = &uhid_hid_driver;
hid->bus = ev->u.create2.bus;
hid->vendor = ev->u.create2.vendor;
hid->product = ev->u.create2.product;
hid->version = ev->u.create2.version;
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index d32fa4b508fc..70fe4f3e73bf 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -998,16 +998,17 @@ static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
phys = strndup_user(p, 1024);
if (IS_ERR(phys)) {
retval = PTR_ERR(phys);
goto out;
}
kfree(udev->dev->phys);
+ input_sanitize_phys(phys);
udev->dev->phys = phys;
goto out;
case UI_BEGIN_FF_UPLOAD:
retval = uinput_ff_upload_from_user(p, &ff_up);
if (retval)
goto out;
diff --git a/include/linux/input.h b/include/linux/input.h
index 76f7aa226202..6c182f5c783f 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -527,16 +527,31 @@ int input_set_keycode(struct input_dev *dev,
bool input_match_device_id(const struct input_dev *dev,
const struct input_device_id *id);
void input_enable_softrepeat(struct input_dev *dev, int delay, int period);
bool input_device_enabled(struct input_dev *dev);
+/**
+ * input_sanitize_phys - replace invalid characters in a phys string
+ * @phys: the phys path to sanitize (modified in place)
+ *
+ * Replaces any control characters and non-ASCII characters with '?'.
+ **/
+static inline void input_sanitize_phys(char *phys)
+{
+ char *p;
+
+ for (p = phys; *p; p++)
+ if (*p < 0x20 || *p > 0x7e)
+ *p = '?';
+}
+
extern const struct class input_class;
/**
* struct ff_device - force-feedback part of an input device
* @upload: Called to upload an new effect into device
* @erase: Called to erase an effect from device
* @playback: Called to request device to start playing specified effect
* @set_gain: Called to set specified gain
---
base-commit: 58717b2a1365d06c8c64b72aa948541b53fe31eb
change-id: 20260717-wip-uinput-sanitize-phys-abb6cf40e577
Best regards,
--
Peter Hutterer <peter.hutterer@who-t.net>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Input: uinput/uhid - disallow control characters in phys paths
2026-07-17 4:49 [PATCH] Input: uinput/uhid - disallow control characters in phys paths Peter Hutterer
@ 2026-07-17 5:07 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-07-17 5:07 UTC (permalink / raw)
To: Peter Hutterer; +Cc: dmitry.torokhov, linux-input
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The patch provides an incomplete mitigation for CVE-2026-50292. It sanitizes the `phys` property to prevent udev property injection via control characters (newlines), but completely fails to sanitize the `name` and `uniq` properties, which are also exported to uevents and controlled by userspace.
--
--- Patch [1]: [PATCH] Input: uinput/uhid - disallow control characters in phys paths ---
commit 1a76e90e7acc09a84a52efddc46e598419020a19
Author: Peter Hutterer <peter.hutterer@who-t.net>
Input: uinput/uhid - disallow control characters in phys paths
This commit sanitizes the phys property in uinput and uhid devices to replace
control characters with '?'. This prevents userspace from injecting malicious
udev properties via newlines, which previously triggered CVE-2026-50292.
> diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
> index 37b60c3aaf66a..baf1fe8290f75 100644
> --- a/drivers/hid/uhid.c
> +++ b/drivers/hid/uhid.c
> @@ -518,6 +518,7 @@ static int uhid_dev_create2(struct uhid_device *uhid,
> strscpy(hid->name, ev->u.create2.name, sizeof(hid->name));
> BUILD_BUG_ON(sizeof(hid->phys) != sizeof(ev->u.create2.phys));
> strscpy(hid->phys, ev->u.create2.phys, sizeof(hid->phys));
> + input_sanitize_phys(hid->phys);
> BUILD_BUG_ON(sizeof(hid->uniq) != sizeof(ev->u.create2.uniq));
> strscpy(hid->uniq, ev->u.create2.uniq, sizeof(hid->uniq));
[Severity: High]
This isn't a bug introduced by this patch, but while this successfully mitigates
CVE-2026-50292 for the phys property, does it still leave the name and uniq
properties vulnerable?
In uhid_dev_create2(), the user-controlled ev->u.create2.name and
ev->u.create2.uniq strings are copied directly without passing through a
similar sanitization function.
Additionally, in drivers/input/misc/uinput.c:uinput_dev_setup(), the name
property is also set without sanitization:
dev->name = kstrndup(setup.name, UINPUT_MAX_NAME_SIZE, GFP_KERNEL);
If a user with write access to /dev/uinput or /dev/uhid sets the name or uniq
properties to strings containing newlines, wouldn't this still allow the
injection of arbitrary udev environment variables when INPUT_ADD_HOTPLUG_VAR
formats them for uevents?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260717-wip-uinput-sanitize-phys-v1-1-f6459542ce4b@who-t.net?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-17 5:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-17 4:49 [PATCH] Input: uinput/uhid - disallow control characters in phys paths Peter Hutterer
2026-07-17 5:07 ` sashiko-bot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.