[PATCH] HID: u2fzero: fix general protection fault in u2fzero

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv
@ 2026-04-21 13:48 l1za0.sec
  2026-05-21 14:27 ` Benjamin Tissoires
  0 siblings, 1 reply; 3+ messages in thread
From: l1za0.sec @ 2026-04-21 13:48 UTC (permalink / raw)
  To: jikos, benjamin.tissoires; +Cc: linux-input, linux-kernel

From: Haocheng Yu <l1za0.sec@gmail.com>

A general protection fault in u2fzero_recv is reported by a
modified Syzkaller-based kernel fuzzing tool we developed.

The cause is that u2fzero_probe() calls the u2fzero_fill_in_urb()
function but ignores its return value. When the urb setting fails,
dev->urb remains NULL, but u2fzero_probe() continues to run. When
`dev->urb->context = &ctx;` in u2fzero_recv() is executed, the
KASAN null pointer dereference crash will occur.

To fix this vulnerability, I added a check for the return value of
u2fzero_fill_in_urb() and aborted u2fzero_probe() on error. And I
added a NULL value check for dev->urb in u2fzero_recv() to further
ensure its integrity.

Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
 drivers/hid/hid-u2fzero.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 744a91e6e78c..c51f6dd80635 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -134,6 +134,12 @@ static int u2fzero_recv(struct u2fzero_device *dev,

 	memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));

+	if (!dev->urb) {
+		hid_err(hdev, "recv called without initialized URB");
+		ret = -ENODEV;
+		goto err;
+	}
+
 	dev->urb->context = &ctx;
 	init_completion(&ctx.done);

@@ -341,7 +347,11 @@ static int u2fzero_probe(struct hid_device *hdev,
 	if (ret)
 		return ret;

-	u2fzero_fill_in_urb(dev);
+	ret = u2fzero_fill_in_urb(dev);
+	if (ret) {
+		hid_hw_stop(hdev);
+		return ret;
+	}

 	dev->present = true;

base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
-- 
2.51.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv
  2026-04-21 13:48 [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv l1za0.sec
@ 2026-05-21 14:27 ` Benjamin Tissoires
  2026-05-22  2:01   ` Li Zao
  0 siblings, 1 reply; 3+ messages in thread
From: Benjamin Tissoires @ 2026-05-21 14:27 UTC (permalink / raw)
  To: l1za0.sec; +Cc: jikos, benjamin.tissoires, linux-input, linux-kernel


Hi,

Thanks for the patch and sorry for the delay.

On Apr 21 2026, l1za0.sec@gmail.com wrote:
> From: Haocheng Yu <l1za0.sec@gmail.com>
> 
> A general protection fault in u2fzero_recv is reported by a
> modified Syzkaller-based kernel fuzzing tool we developed.
> 
> The cause is that u2fzero_probe() calls the u2fzero_fill_in_urb()
> function but ignores its return value. When the urb setting fails,
> dev->urb remains NULL, but u2fzero_probe() continues to run. When
> `dev->urb->context = &ctx;` in u2fzero_recv() is executed, the
> KASAN null pointer dereference crash will occur.
> 
> To fix this vulnerability, I added a check for the return value of
> u2fzero_fill_in_urb() and aborted u2fzero_probe() on error. And I
> added a NULL value check for dev->urb in u2fzero_recv() to further
> ensure its integrity.

Couple of things:
- sorry, but a couple of days later someone else send a patch to tackle
  the same problem at a better level IMO:
  https://lore.kernel.org/linux-input/20260424-u2fzero-probe-urb-unwind-v1-1-mhun512@gmail.com/
  So I'm going to take this one instead of yours. I would appreciate if
  you can confirm this fixes your current reproducer.

- Your commit description is not great. Please have a look at
  Documentation/process/submitting-patches.rst The thing that made me
  notice this is the non imperative form (quoting
  submitting-patches.rst):
  """
  Describe your changes in imperative mood,
  e.g. "make xyzzy do frotz" instead of "[This patch] makes xyzzy do
  frotz" or "[I] changed xyzzy to do frotz", as if you are giving orders
  to the codebase to change its behaviour.
  """
  The paragraph above is also hard to follow but valuable for
  understanding why it needs to be fixed.

Again, in the end the problem is that is dev->urb is NULL, there are
little chances the system is healthy and the device will work correctly,
so it's best to bail out early in probe like the other patch I
mentioned.

Cheers,
Benjamin

> 
> Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
> ---
>  drivers/hid/hid-u2fzero.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
> index 744a91e6e78c..c51f6dd80635 100644
> --- a/drivers/hid/hid-u2fzero.c
> +++ b/drivers/hid/hid-u2fzero.c
> @@ -134,6 +134,12 @@ static int u2fzero_recv(struct u2fzero_device *dev,
>  
>  	memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));
>  
> +	if (!dev->urb) {
> +		hid_err(hdev, "recv called without initialized URB");
> +		ret = -ENODEV;
> +		goto err;
> +	}
> +
>  	dev->urb->context = &ctx;
>  	init_completion(&ctx.done);
>  
> @@ -341,7 +347,11 @@ static int u2fzero_probe(struct hid_device *hdev,
>  	if (ret)
>  		return ret;
>  
> -	u2fzero_fill_in_urb(dev);
> +	ret = u2fzero_fill_in_urb(dev);
> +	if (ret) {
> +		hid_hw_stop(hdev);
> +		return ret;
> +	}
>  
>  	dev->present = true;
>  
> 
> base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
> -- 
> 2.51.0
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv
  2026-05-21 14:27 ` Benjamin Tissoires
@ 2026-05-22  2:01   ` Li Zao
  0 siblings, 0 replies; 3+ messages in thread
From: Li Zao @ 2026-05-22  2:01 UTC (permalink / raw)
  To: Benjamin Tissoires; +Cc: jikos, benjamin.tissoires, linux-input, linux-kernel

> Couple of things:
> - sorry, but a couple of days later someone else send a patch to tackle
>   the same problem at a better level IMO:
>   https://lore.kernel.org/linux-input/20260424-u2fzero-probe-urb-unwind-v1-1-mhun512@gmail.com/
>   So I'm going to take this one instead of yours. I would appreciate if
>   you can confirm this fixes your current reproducer.
>
> - Your commit description is not great. Please have a look at
>   Documentation/process/submitting-patches.rst The thing that made me
>   notice this is the non imperative form (quoting
>   submitting-patches.rst):
>   """
>   Describe your changes in imperative mood,
>   e.g. "make xyzzy do frotz" instead of "[This patch] makes xyzzy do
>   frotz" or "[I] changed xyzzy to do frotz", as if you are giving orders
>   to the codebase to change its behaviour.
>   """
>   The paragraph above is also hard to follow but valuable for
>   understanding why it needs to be fixed.
>
> Again, in the end the problem is that is dev->urb is NULL, there are
> little chances the system is healthy and the device will work correctly,
> so it's best to bail out early in probe like the other patch I
> mentioned.
>
> Cheers,
> Benjamin



Hi Benjamin,

I have verified the patch against our reproducer and can confirm that
it indeed fixes the issue. And thanks for the guidance on the commit
description. That's quite useful.

BTW, would it be possible to add a "Reported-by" tag to the patch? I'm
not sure about the exact convention for this situation, since the bug
was found by our private fuzzing tool and no public report is available
on the web.

Thanks again for your time and guidance!

Best regards,
Haocheng

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-22  2:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 13:48 [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv l1za0.sec
2026-05-21 14:27 ` Benjamin Tissoires
2026-05-22  2:01   ` Li Zao

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.