From: Qasim Ijaz <qasdev00@gmail.com>
To: Jiri Kosina <jikos@kernel.org>
Cc: bentiss@kernel.org, gargaditya08@live.com, jirislaby@kernel.org,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2] HID: appletb-kbd: fix memory corruption of input_handler_list
Date: Thu, 3 Jul 2025 10:31:39 +0100 [thread overview]
Message-ID: <aGZN-0aYscZMYpld@gmail.com> (raw)
In-Reply-To: <qp120s01-q22q-52rr-97n2-or6o30n1qrqq@xreary.bet>
On Thu, Jul 03, 2025 at 09:38:27AM +0200, Jiri Kosina wrote:
> On Fri, 27 Jun 2025, Qasim Ijaz wrote:
>
> > In appletb_kbd_probe an input handler is initialised and then registered
> > with input core through input_register_handler(). When this happens input
> > core will add the input handler (specifically its node) to the global
> > input_handler_list. The input_handler_list is central to the functionality
> > of input core and is traversed in various places in input core. An example
> > of this is when a new input device is plugged in and gets registered with
> > input core.
> >
> > The input_handler in probe is allocated as device managed memory. If a
> > probe failure occurs after input_register_handler() the input_handler
> > memory is freed, yet it will remain in the input_handler_list. This
> > effectively means the input_handler_list contains a dangling pointer
> > to data belonging to a freed input handler.
> >
> > This causes an issue when any other input device is plugged in - in my
> > case I had an old PixArt HP USB optical mouse and I decided to
> > plug it in after a failure occurred after input_register_handler().
> > This lead to the registration of this input device via
> > input_register_device which involves traversing over every handler
> > in the corrupted input_handler_list and calling input_attach_handler(),
> > giving each handler a chance to bind to newly registered device.
> >
> > The core of this bug is a UAF which causes memory corruption of
> > input_handler_list and to fix it we must ensure the input handler is
> > unregistered from input core, this is done through
> > input_unregister_handler().
>
> Applied to hid.git#for-6.16/upstream-fixes, thanks!
Thanks Jiri, would it also be possible to apply this one too:
<https://lore.kernel.org/all/20250624125256.20473-1-qasdev00@gmail.com/>
Its a bug fix I sent before this a while back but I think it may have been buried
deep down in your inbox causing you to miss it.
Thanks,
Qasim
>
> --
> Jiri Kosina
> SUSE Labs
>
prev parent reply other threads:[~2025-07-03 9:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 11:01 [PATCH v2] HID: appletb-kbd: fix memory corruption of input_handler_list Qasim Ijaz
2025-07-03 7:38 ` Jiri Kosina
2025-07-03 9:31 ` Qasim Ijaz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGZN-0aYscZMYpld@gmail.com \
--to=qasdev00@gmail.com \
--cc=bentiss@kernel.org \
--cc=gargaditya08@live.com \
--cc=jikos@kernel.org \
--cc=jirislaby@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.