[PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv

[PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv

[l1za0.sec]

From: Haocheng Yu <l1za0.sec@gmail.com>

A general protection fault in u2fzero_recv is reported by a
modified Syzkaller-based kernel fuzzing tool we developed.

The cause is that u2fzero_probe() calls the u2fzero_fill_in_urb()
function but ignores its return value. When the urb setting fails,
dev->urb remains NULL, but u2fzero_probe() continues to run. When
`dev->urb->context = &ctx;` in u2fzero_recv() is executed, the
KASAN null pointer dereference crash will occur.

To fix this vulnerability, I added a check for the return value of
u2fzero_fill_in_urb() and aborted u2fzero_probe() on error. And I
added a NULL value check for dev->urb in u2fzero_recv() to further
ensure its integrity.

Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
 drivers/hid/hid-u2fzero.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c
index 744a91e6e78c..c51f6dd80635 100644
--- a/drivers/hid/hid-u2fzero.c
+++ b/drivers/hid/hid-u2fzero.c
@@ -134,6 +134,12 @@ static int u2fzero_recv(struct u2fzero_device *dev,
 
 	memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));
 
+	if (!dev->urb) {
+		hid_err(hdev, "recv called without initialized URB");
+		ret = -ENODEV;
+		goto err;
+	}
+
 	dev->urb->context = &ctx;
 	init_completion(&ctx.done);
 
@@ -341,7 +347,11 @@ static int u2fzero_probe(struct hid_device *hdev,
 	if (ret)
 		return ret;
 
-	u2fzero_fill_in_urb(dev);
+	ret = u2fzero_fill_in_urb(dev);
+	if (ret) {
+		hid_hw_stop(hdev);
+		return ret;
+	}
 
 	dev->present = true;
 

base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
-- 
2.51.0