* [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
[not found] <CALEuBa=E1YSo1oVxd67rBf+6bC28zQZi5HBghMmcPFHKQn2+UA@mail.gmail.com>
@ 2026-01-14 17:54 ` 齐柯宇
2026-01-15 12:03 ` Bastien Nocera
1 sibling, 0 replies; 6+ messages in thread
From: 齐柯宇 @ 2026-01-14 17:54 UTC (permalink / raw)
To: linux-kernel, linux-input
Add validation for report->maxfield and report->field[0] before
dereferencing to prevent NULL pointer dereference.
The HID report descriptor is provided by the USB device firmware via
USB control transfer (GET_DESCRIPTOR). A malicious device can craft
a descriptor that defines an OUTPUT report without any usages
(padding fields). When the HID subsystem parses such a descriptor:
1. hid_add_field() calls hid_register_report() to create the report
object and stores it in report_id_hash[id]
2. Since parser->local.usage_index is 0, hid_add_field() returns early
without calling hid_register_field() to add any fields
3. Result: report exists with maxfield=0 and field[0]=NULL
When hidpp_probe() is called for a device matching this driver:
- hidpp_validate_device() calls hidpp_get_report_length()
- hidpp_get_report_length() retrieves the report from hash (not NULL)
- It then dereferences report->field[0]->report_count
- Since field[0] is NULL, this triggers a kernel NULL pointer
dereference
Data flow from attacker to crash:
Malicious USB Device
|
v (USB GET_DESCRIPTOR control transfer)
hid_get_class_descriptor() -- reads HID report descriptor from device
|
v
hid_parse_report() -- stores descriptor in hid->dev_rdesc
|
v
hid_open_report() -> hid_add_field()
| |
| v
| hid_register_report() -- creates report, maxfield=0
| |
| v
| returns early if usage_index==0, no field added
|
v
hidpp_validate_device() -> hidpp_get_report_length()
|
v
report->field[0]->report_count -- NULL pointer dereference!
This is triggerable by an attacker with physical access using a
malicious USB device (e.g., BadUSB, programmable USB development
boards).
Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long
report length")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
drivers/hid/hid-logitech-hidpp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index d5011a5d0890..02ddbd658e89 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct
hid_device *hdev, int id)
re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
report = re->report_id_hash[id];
- if (!report)
+ if (!report || report->maxfield < 1 || !report->field[0])
return 0;
return report->field[0]->report_count + 1;
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
[not found] <CALEuBa=E1YSo1oVxd67rBf+6bC28zQZi5HBghMmcPFHKQn2+UA@mail.gmail.com>
2026-01-14 17:54 ` 齐柯宇
@ 2026-01-15 12:03 ` Bastien Nocera
2026-01-15 14:17 ` 齐柯宇
1 sibling, 1 reply; 6+ messages in thread
From: Bastien Nocera @ 2026-01-15 12:03 UTC (permalink / raw)
To: 齐柯宇, jikos, bentiss
Cc: lains, hansg, linux-input, linux-kernel
Hello,
Patch looks good, but you will need to resend it as plain text, as per
the submitting patches documentation:
https://www.kernel.org/doc/html/v6.17/process/submitting-patches.html#no-mime-no-links-no-compression-no-attachments-just-plain-text
Regards
On Thu, 2026-01-15 at 01:48 +0800, 齐柯宇 wrote:
> Add validation for report->maxfield and report->field[0] before
> dereferencing to prevent NULL pointer dereference.
>
> The HID report descriptor is provided by the USB device firmware via
> USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> a descriptor that defines an OUTPUT report without any usages
> (padding fields). When the HID subsystem parses such a descriptor:
>
> 1. hid_add_field() calls hid_register_report() to create the report
> object and stores it in report_id_hash[id]
> 2. Since parser->local.usage_index is 0, hid_add_field() returns
> early
> without calling hid_register_field() to add any fields
> 3. Result: report exists with maxfield=0 and field[0]=NULL
>
> When hidpp_probe() is called for a device matching this driver:
> - hidpp_validate_device() calls hidpp_get_report_length()
> - hidpp_get_report_length() retrieves the report from hash (not
> NULL)
> - It then dereferences report->field[0]->report_count
> - Since field[0] is NULL, this triggers a kernel NULL pointer
> dereference
>
> Data flow from attacker to crash:
> Malicious USB Device
> |
> v (USB GET_DESCRIPTOR control transfer)
> hid_get_class_descriptor() -- reads HID report descriptor from
> device
> |
> v
> hid_parse_report() -- stores descriptor in hid->dev_rdesc
> |
> v
> hid_open_report() -> hid_add_field()
> | |
> | v
> | hid_register_report() -- creates report,
> maxfield=0
> | |
> | v
> | returns early if usage_index==0, no field added
> |
> v
> hidpp_validate_device() -> hidpp_get_report_length()
> |
> v
> report->field[0]->report_count -- NULL pointer dereference!
>
> This is triggerable by an attacker with physical access using a
> malicious USB device (e.g., BadUSB, programmable USB development
> boards).
>
> Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long
> report length")
> Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
> ---
> drivers/hid/hid-logitech-hidpp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-
> logitech-hidpp.c
> index d5011a5d0890..02ddbd658e89 100644
> --- a/drivers/hid/hid-logitech-hidpp.c
> +++ b/drivers/hid/hid-logitech-hidpp.c
> @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct
> hid_device *hdev, int id)
>
> re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> report = re->report_id_hash[id];
> - if (!report)
> + if (!report || report->maxfield < 1 || !report->field[0])
> return 0;
>
> return report->field[0]->report_count + 1;
> --
> 2.34.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
2026-01-15 12:03 ` Bastien Nocera
@ 2026-01-15 14:17 ` 齐柯宇
0 siblings, 0 replies; 6+ messages in thread
From: 齐柯宇 @ 2026-01-15 14:17 UTC (permalink / raw)
To: Bastien Nocera; +Cc: jikos, bentiss, lains, hansg, linux-input, linux-kernel
Hello,
Thank you for the review. I apologize for the format issue and will
resend the patch as plain text following the documentation guidelines.
Best regards,
Kery
Bastien Nocera <hadess@hadess.net> 于2026年1月15日周四 20:03写道:
>
> Hello,
>
> Patch looks good, but you will need to resend it as plain text, as per
> the submitting patches documentation:
> https://www.kernel.org/doc/html/v6.17/process/submitting-patches.html#no-mime-no-links-no-compression-no-attachments-just-plain-text
>
> Regards
>
> On Thu, 2026-01-15 at 01:48 +0800, 齐柯宇 wrote:
> > Add validation for report->maxfield and report->field[0] before
> > dereferencing to prevent NULL pointer dereference.
> >
> > The HID report descriptor is provided by the USB device firmware via
> > USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> > a descriptor that defines an OUTPUT report without any usages
> > (padding fields). When the HID subsystem parses such a descriptor:
> >
> > 1. hid_add_field() calls hid_register_report() to create the report
> > object and stores it in report_id_hash[id]
> > 2. Since parser->local.usage_index is 0, hid_add_field() returns
> > early
> > without calling hid_register_field() to add any fields
> > 3. Result: report exists with maxfield=0 and field[0]=NULL
> >
> > When hidpp_probe() is called for a device matching this driver:
> > - hidpp_validate_device() calls hidpp_get_report_length()
> > - hidpp_get_report_length() retrieves the report from hash (not
> > NULL)
> > - It then dereferences report->field[0]->report_count
> > - Since field[0] is NULL, this triggers a kernel NULL pointer
> > dereference
> >
> > Data flow from attacker to crash:
> > Malicious USB Device
> > |
> > v (USB GET_DESCRIPTOR control transfer)
> > hid_get_class_descriptor() -- reads HID report descriptor from
> > device
> > |
> > v
> > hid_parse_report() -- stores descriptor in hid->dev_rdesc
> > |
> > v
> > hid_open_report() -> hid_add_field()
> > | |
> > | v
> > | hid_register_report() -- creates report,
> > maxfield=0
> > | |
> > | v
> > | returns early if usage_index==0, no field added
> > |
> > v
> > hidpp_validate_device() -> hidpp_get_report_length()
> > |
> > v
> > report->field[0]->report_count -- NULL pointer dereference!
> >
> > This is triggerable by an attacker with physical access using a
> > malicious USB device (e.g., BadUSB, programmable USB development
> > boards).
> >
> > Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long
> > report length")
> > Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
> > ---
> > drivers/hid/hid-logitech-hidpp.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-
> > logitech-hidpp.c
> > index d5011a5d0890..02ddbd658e89 100644
> > --- a/drivers/hid/hid-logitech-hidpp.c
> > +++ b/drivers/hid/hid-logitech-hidpp.c
> > @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct
> > hid_device *hdev, int id)
> >
> > re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> > report = re->report_id_hash[id];
> > - if (!report)
> > + if (!report || report->maxfield < 1 || !report->field[0])
> > return 0;
> >
> > return report->field[0]->report_count + 1;
> > --
> > 2.34.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
@ 2026-01-15 14:24 Kery Qi
2026-01-15 14:42 ` Bastien Nocera
2026-01-15 15:20 ` 齐柯宇
0 siblings, 2 replies; 6+ messages in thread
From: Kery Qi @ 2026-01-15 14:24 UTC (permalink / raw)
To: jikos, bentiss; +Cc: lains, hadess, hansg, linux-input, linux-kernel, Kery Qi
Add validation for report->maxfield and report->field[0] before
dereferencing to prevent NULL pointer dereference.
The HID report descriptor is provided by the USB device firmware via
USB control transfer (GET_DESCRIPTOR). A malicious device can craft
a descriptor that defines an OUTPUT report without any usages
(padding fields). When the HID subsystem parses such a descriptor:
1. hid_add_field() calls hid_register_report() to create the report
object and stores it in report_id_hash[id]
2. Since parser->local.usage_index is 0, hid_add_field() returns early
without calling hid_register_field() to add any fields
3. Result: report exists with maxfield=0 and field[0]=NULL
When hidpp_probe() is called for a device matching this driver:
- hidpp_validate_device() calls hidpp_get_report_length()
- hidpp_get_report_length() retrieves the report from hash (not NULL)
- It then dereferences report->field[0]->report_count
- Since field[0] is NULL, this triggers a kernel NULL pointer
dereference
Data flow from attacker to crash:
Malicious USB Device
|
v (USB GET_DESCRIPTOR control transfer)
hid_get_class_descriptor() -- reads HID report descriptor from device
|
v
hid_parse_report() -- stores descriptor in hid->dev_rdesc
|
v
hid_open_report() -> hid_add_field()
| |
| v
| hid_register_report() -- creates report, maxfield=0
| |
| v
| returns early if usage_index==0, no field added
|
v
hidpp_validate_device() -> hidpp_get_report_length()
|
v
report->field[0]->report_count -- NULL pointer dereference!
This is triggerable by an attacker with physical access using a
malicious USB device (e.g., BadUSB, programmable USB development
boards).
Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long report length")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
drivers/hid/hid-logitech-hidpp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index d5011a5d0890..02ddbd658e89 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
report = re->report_id_hash[id];
- if (!report)
+ if (!report || report->maxfield < 1 || !report->field[0])
return 0;
return report->field[0]->report_count + 1;
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
2026-01-15 14:24 [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length() Kery Qi
@ 2026-01-15 14:42 ` Bastien Nocera
2026-01-15 15:20 ` 齐柯宇
1 sibling, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2026-01-15 14:42 UTC (permalink / raw)
To: Kery Qi, jikos, bentiss; +Cc: lains, hansg, linux-input, linux-kernel
On Thu, 2026-01-15 at 22:24 +0800, Kery Qi wrote:
<snip>
> - if (!report)
> + if (!report || report->maxfield < 1 || !report->field[0])
A partial fix already exists in the for-next branch:
https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git/commit/?h=for-next&id=1547d41f9f19d691c2c9ce4c29f746297baef9e9
You'll probably want to rebase and adapt your fix. See also this review
by GregKH for v1:
https://patchwork.kernel.org/project/linux-input/patch/20260109105912.3141960-2-gnoack@google.com/
Cheers
> return 0;
>
> return report->field[0]->report_count + 1;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length()
2026-01-15 14:24 [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length() Kery Qi
2026-01-15 14:42 ` Bastien Nocera
@ 2026-01-15 15:20 ` 齐柯宇
1 sibling, 0 replies; 6+ messages in thread
From: 齐柯宇 @ 2026-01-15 15:20 UTC (permalink / raw)
To: jikos, bentiss; +Cc: Bastien Nocera, lains, linux-input, linux-kernel, hansg
Hello,
Thanks for the feedback.
Best regards
Kery
Kery Qi <qikeyu2017@gmail.com> 于2026年1月15日周四 22:24写道:
>
> Add validation for report->maxfield and report->field[0] before
> dereferencing to prevent NULL pointer dereference.
>
> The HID report descriptor is provided by the USB device firmware via
> USB control transfer (GET_DESCRIPTOR). A malicious device can craft
> a descriptor that defines an OUTPUT report without any usages
> (padding fields). When the HID subsystem parses such a descriptor:
>
> 1. hid_add_field() calls hid_register_report() to create the report
> object and stores it in report_id_hash[id]
> 2. Since parser->local.usage_index is 0, hid_add_field() returns early
> without calling hid_register_field() to add any fields
> 3. Result: report exists with maxfield=0 and field[0]=NULL
>
> When hidpp_probe() is called for a device matching this driver:
> - hidpp_validate_device() calls hidpp_get_report_length()
> - hidpp_get_report_length() retrieves the report from hash (not NULL)
> - It then dereferences report->field[0]->report_count
> - Since field[0] is NULL, this triggers a kernel NULL pointer
> dereference
>
> Data flow from attacker to crash:
> Malicious USB Device
> |
> v (USB GET_DESCRIPTOR control transfer)
> hid_get_class_descriptor() -- reads HID report descriptor from device
> |
> v
> hid_parse_report() -- stores descriptor in hid->dev_rdesc
> |
> v
> hid_open_report() -> hid_add_field()
> | |
> | v
> | hid_register_report() -- creates report, maxfield=0
> | |
> | v
> | returns early if usage_index==0, no field added
> |
> v
> hidpp_validate_device() -> hidpp_get_report_length()
> |
> v
> report->field[0]->report_count -- NULL pointer dereference!
>
> This is triggerable by an attacker with physical access using a
> malicious USB device (e.g., BadUSB, programmable USB development
> boards).
>
> Fixes: d71b18f7c7999 ("HID: logitech-hidpp: do not hardcode very long report length")
> Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
> ---
> drivers/hid/hid-logitech-hidpp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
> index d5011a5d0890..02ddbd658e89 100644
> --- a/drivers/hid/hid-logitech-hidpp.c
> +++ b/drivers/hid/hid-logitech-hidpp.c
> @@ -4314,7 +4314,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id)
>
> re = &(hdev->report_enum[HID_OUTPUT_REPORT]);
> report = re->report_id_hash[id];
> - if (!report)
> + if (!report || report->maxfield < 1 || !report->field[0])
> return 0;
>
> return report->field[0]->report_count + 1;
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-01-15 15:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-15 14:24 [PATCH] HID: logitech-hidpp: fix NULL pointer dereference in hidpp_get_report_length() Kery Qi
2026-01-15 14:42 ` Bastien Nocera
2026-01-15 15:20 ` 齐柯宇
[not found] <CALEuBa=E1YSo1oVxd67rBf+6bC28zQZi5HBghMmcPFHKQn2+UA@mail.gmail.com>
2026-01-14 17:54 ` 齐柯宇
2026-01-15 12:03 ` Bastien Nocera
2026-01-15 14:17 ` 齐柯宇
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox